Generating FIPS compliant PKCS12 files with OpenSSL

Over the last couple of weeks I’ve been plagued with the best way to generate pfx files for Windows systems to use FIPS compliant certs. There was particularly trying piece of software that was validating the certificate, and it kept coming back as failed, with little output as to why.

After talking with the developers, It turns out it was checking the ciphers in use on the bags were compliant, and by default OpenSSL’s RC2-40 is definitely not on the list of FIPS compliant ciphers.

So after much trial and error, and looking at the list-cipher-algorithms I settled on the following:

openssl pkcs12 -export -aes256 -out server.pfx -inkey server.key -in server.crt -CAfile ca.crt -chain -certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256

It should be noted that it’s your responsibility to generate a server key within the FIPS standards.


If you are getting an Error unable to get issuer certificate getting chain. from openssl, make sure that you grab the entire CA chain.

If you need to convert from DER to PEM for cat’ing in to the ca.crt:

openssl x509 -inform DER -in provider.der -out ca-root.pem

Leave a reply