Certificate requirements

  • Client certificates must be in PKCS12 format, with the Certificate Authority (CA), public key, and private key in the same file.
  • The PKCS12 file must have a .p12 or .pfx extension
  • The PKCS12 file must be password-protected
  • The source of the certificate can be your own internal CA, a well-known public CA, or an online tool such as 
     or the 
     keytool. You can use the following keytool example to generate a certificate, substituting your own values as required: 
keytool -genkeypair -alias good123 -keystore good123.pfx -storepass good123 -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
  • If the organization’s security policy uses FIPS standards, Personal Information Exchange files must be encrypted with FIPS-strength ciphers. If Personal Information Exchange files use a weak cipher, which is common for third-party applications when exporting identity material, you can use a tool like 
     to re-encrypt the files with a FIPS-strength cipher. See the following example:
openssl pkcs12 -in weak.p12 -nodes -out decrypted.pem
<enter password>
openssl pkcs12 -export -in decrypted.pem -keypbe AES-128-CBC -certpbe AES-128-CBC -out strong.p12
<enter password>
rm decrypted.pem