Troubleshooting Tip: Loading a PKCS#12 Certificate in FortiManager/FortiAnalyzer gives a wrong password error

farhanahmed · ‎05-05-2024

Description

The article describes how to resolve the wrong password error while loading an OpenSSL-generated PKCS#12 Certificate in FortiManager/FortiAnalyzer via FTP. OpenSSL is not endorsed or supported by Fortinet.

Scope

FortiManager v7.4.2, FortiAnalyzer v7.4.2, OpenSSL

Solution

Loading an OpenSSL generated PKCS#12 certificate in FortiManager/FortiAnalyzer using FTP gives the error:

FMG-VM64 # execute certificate local import-pkcs12 ftp <IP:port> <filename> <server username> <server password> <cert password> <name for cert>
Starting transfer PKCS#12 file from FTP server...
Transferred 0.003M of 0.003M in 0:00:00s (0.021M/s)
Starting import PKCS#12 file...
Failed: could not load the shared library (wrong password?)
Failed.
Command fail. Return code -26

The error can occur in general when the password is indeed incorrect.
This can also occur because of the certificate being generated using older OpenSSL versions, which most often use weak encryption algorithms.
Since FortiManager/FortiAnalyzer v7.4.2 the supported OpenSSL version is upgraded to v3.1.2.
Regenerate the certificate using the latest version of OpenSSL (v3.1.2 or higher).
Load the new certificate to FortiManager/FortiAnalyzer:

FMG-VM64 # execute certificate local import-pkcs12 ftp <IP:port> <filename> <server username> <server password> <cert password> <name for cert>
Starting transfer PKCS#12 file from FTP server...
Transferred 0.004M of 0.004M in 0:00:00s (0.164M/s)
Starting import PKCS#12 file...
Done.

Related documents:

Certificate - CLI Reference

Technical Tip: How to generate certificates using OpenSSL

Technical Tip: Certificate Generation with FIPS Enabled on FortiAnalyzer and FortiGate