Certificate requirements and troubleshooting
Make sure your certificates conform to these requirements:
- Certificates must be in PKCS 12 format: Certificate Authority (CA), public key, and private key, all in the same file.
- The PKCS12 file must end with the extension.p12or.pfx.
- The PKCS 12 file must be password-protected.
There are many sources of certificates:
- Your own internal certification authority (CA)
- A well-known public CA
- Tools from the Internet, such as OpenSSL's keytool command. For example, the following is sufficient to generate a PKCS 12 certificate that is usable with Good Control; substitute your own values for alias the keystore name and the keystore password. If in doubt consult information on the Internet about all the possible options on the keytool command:keytool -genkeypair -alias good123 -keystore good123.pfx -storepass good123 -validity 365 -keyalg RSA -keysize 2048 -storetype pkcs12
Beware of weak ciphers from export
Personal Information Exchange files are encrypted, and therefore must be
encrypted with FIPS-strength ciphers if to be used when FIPS is enabled on the
employee’s security policy.
For their own maximum interoperability with other systems, it is common
for third-party applications, for example the macOS keychain, to export identity
material (credentials) using weak ciphers.
The administrator or employee can use a tool such as the OpenSSL command
line to re-encrypt the file with a FIPS-strength cipher like so, which re-encrypts with
the AES-128-CBC cipher:
openssl pkcs12 -in weak.p12 -nodes -out decrypted.pem<enter password>openssl pkcs12 -export -in decrypted.pem -keypbe AES-128-CBC -certpbe AES-128-CBC -out strong.p12<enter password>rm decrypted.pem