- Client certificates must be in PKCS12 format, with the Certificate Authority (CA), public key, and private key in the same file.
- The PKCS12 file must have a .p12 or .pfx extension
- The PKCS12 file must be password-protected
- The source of the certificate can be your own internal CA, a well-known public CA, or an online tool such asOpenSSLor theJavakeytool. You can use the following keytool example to generate a certificate, substituting your own values as required:
keytool -genkeypair -alias good123 -keystore good123.pfx -storepass good123 -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
- If the organization’s security policy uses FIPS standards, Personal Information Exchange files must be encrypted with FIPS-strength ciphers. If Personal Information Exchange files use a weak cipher, which is common for third-party applications when exporting identity material, you can use a tool likeOpenSSLto re-encrypt the files with a FIPS-strength cipher. See the following example:
openssl pkcs12 -in weak.p12 -nodes -out decrypted.pem<enter password>openssl pkcs12 -export -in decrypted.pem -keypbe AES-128-CBC -certpbe AES-128-CBC -out strong.p12<enter password>rm decrypted.pem