Operations Console PKCS#12 SSL Certificate Import Fails with "Your Password Is Incorrect"
9 hours ago
Originally Published: 2016-10-13
Article Number
000042818
Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

Issue
  • When importing a PKCS#12 SSL console certificate into the RSA Authentication Manager Operations Console, the import fails with a password error — even though the password is confirmed correct and the same file imports successfully in other tools.

    Observable symptoms:

  • Importing the .pfx or .p12 certificate file in the Operations Console produces the following error: 
    Your password is incorrect. Correct your password, and try again.

    OC-Cert_import_PW_incorrect

  • The same .pfx or .p12 file imports successfully into Internet Explorer using the identical password, confirming the password itself is not the issue.
  •  The following key error is logged in /opt/rsa/am/server/logs/ops-console.log: 
    GUILog.traceException(587) | exception: 
    com.rsa.ims.security.tools.ssl.exception.InvalidCertificateException: Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40
    at com.rsa.ims.security.tools.ssl.ImportSSLCertConsoleHelper.importP12File(ImportSSLCertConsoleHelper.java:573)

     

 
  • Attempting to import the certificate manually using Java Keytool produces the following error: 
    keytool error: java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40
    java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40

    NOTE: The ops-console.log error reveals the true cause — the issue is not a wrong password but a FIPS 140-2 algorithm incompatibility. The Operations Console surfaces this internally as a password error, which can make this issue difficult to diagnose without checking the log.

Cause

The PKCS#12 certificate file was encrypted by the Certificate Authority (CA) using the RC2 algorithm (PBE/PKCS12/SHA1/RC2/CBC/40), which is not permitted in FIPS 140-2 mode. Authentication Manager operates in FIPS 140-2 mode by default and cannot process the file — but instead of reporting an algorithm error, the Operations Console surfaces it as a password error.

This commonly occurs when the Certificate Signing Request (CSR) was generated by a third-party tool (such as Entrust or Venafi) rather than by the Operations Console itself. When a third-party tool generates the CSR, the CA returns a PKCS#12 file (.pfx or .p12) that includes the private key and is password-protected using the CA's default encryption algorithm — which may not be FIPS 140-2 compliant.

In addition to the password error in the UI, the following errors confirm the true cause:

Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40
The /opt/rsa/am/server/logs/imsTrace.log will show this error: 
com.rsa.ims.security.tools.ssl.exception.InvalidCertificateException: MacData.MacData: MAC Verification failed
Resolution

The permanent resolution is to request a new PKCS#12 certificate file from your Certificate Authority (CA) encrypted with a FIPS 140-2 compliant algorithm.

 

  1. Contact your Certificate Authority (Entrust, Venafi, or equivalent) and request a new PKCS#12 certificate response file for the same CSR.
  2. Specify that the PKCS#12 file must be encrypted using a FIPS 140-2 compliant algorithm. The required algorithm depends on your Authentication Manager version:
Authentication Manager VersionRequired Algorithm
8.8 and earlierPBE-SHA1-3DES or AES-256-CBC
8.9 and laterAES-256-CBC

 

CAUTION: Using PBE-SHA1-3DES on Authentication Manager 8.9 or later will result in the same import failure. Confirm your version before making this request to your CA.

 

  1. Once you receive the new .pfx or .p12 file, log in to the Operations Console.
  2. Navigate to Deployment Configuration > Certificates > Console Certificate Management.
  3. Click Import Certificate.
  4. Browse to the new .pfx or .p12 file.
  5. Enter the certificate password and click Import.

Verification: Confirm the import completes without errors. Navigate to Deployment Configuration > Certificates > Console Certificate Management and verify the new certificate appears in the certificate list with the correct expiry date and subject name.

NOTE: If your CA is unable to re-issue the certificate immediately, refer to the Workaround section below to re-export the existing PKCS#12 file using a FIPS-compliant algorithm with OpenSSL — this allows you to proceed with the import while waiting for the CA to provide a new file.

Workaround

This is a temporary workaround. Use this procedure when your CA cannot immediately re-issue the certificate using a FIPS-compliant algorithm. This workaround re-exports your existing PKCS#12 file using OpenSSL with a FIPS 140-2 compliant cipher, allowing you to import it into the Operations Console. It does not change the certificate itself — the same certificate and private key are preserved; only the encryption wrapper is replaced.

OpenSSL is included with the Authentication Manager installation and does not require a separate installation.

Part 1: Extract the Certificate and Private Key into a PEM File

 

  1. Log in to the Authentication Manager primary server via SSH as rsaadmin. 
  2. Extract the certificate and private key from the original PKCS#12 file into an intermediate PEM file: 
    openssl pkcs12 -in <PKCS12-filename>.pfx -out <intermediate>.pem -nodes

    When prompted, enter the current certificate password. Expected output:

    Enter Import Password: <enter password>
    MAC verified OK
  3. ls /tmp/<intermediate>.pem

Part 2: Re-export as a FIPS-Compliant PKCS#12 File

 

  1. Run the appropriate command for your Authentication Manager version:
    For Authentication Manager 8.8 and earlier (PBE-SHA1-3DES or AES-256-CBC):
    openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in <intermediate>.pem -out <new-filename>.pfx -name "<hostname>"

    For Authentication Manager 8.9 and later (AES-256-CBC only):

    openssl pkcs12 -keypbe AES-256-CBC -certpbe AES-256-CBC -export -in <intermediate>.pem -out <new-filename>.pfx -name "<hostname>"

    When prompted, set a new export password for the re-exported file. Expected output:

    Enter Export Password: <enter export password>
    Verifying - Enter Export Password: <enter export password>

     


  2. Confirm the new PKCS#12 file was created:
    ls /tmp/<new-filename>.pfx


Part 3: Import the New PKCS#12 File into the Operations Console

 

  1. Log in to the Operations Console.
  2. Navigate to Deployment Configuration > Certificates > Console Certificate Management.
  3. Click Import Certificate.
  4. Browse to the new .pfx file generated in Step 1 part 2.
  5. Enter the export password set in Step 1 part 2 and click Import. 

Verification: Confirm the import completes without errors. Navigate to Deployment Configuration > Certificates > Console Certificate Management and verify the new certificate appears in the certificate list with the correct expiry date and subject name.

    Notes

    Secondary Error — "This Certificate or Its Signing CA Is Not Valid": If the import fails with the following error instead of the password error:

    This certificate or its signing CA is not valid.

    This indicates one of the following conditions — and is a separate issue from the FIPS algorithm problem described in this article:

    • The FQDN of the Authentication Manager server does not match the Common Name (CN) in the certificate's subject field. Verify that the CN in the certificate matches the fully qualified hostname of the server where you are importing it.

    • The private key is missing from the PKCS#12 file. This can happen if the CSR was generated by the Operations Console (not a third-party tool) — in that case, the CA response is typically in PKCS#7 format and does not include a private key.

    • A private key is unexpectedly present in a PKCS#7 certificate response file, which Authentication Manager does not expect