FIPS-compliant algorithm

FIPS compliance is necessary to work with some US-based companies and US government institutions. To be FIPS-compliant you must ensure your certificate and key are generated with the correct algorithm. FIPS compliant algorithms can be found here.

The algorithm is determined during the CSR generating process. You can also change the algorithm after you've purchased a certificate from us. To make a certificate key pair that uses a FIPS-compliant algorithm you'll need to use OpenSSL.

Check algorithm

Diagnose whether the used encryption algorithm is indeed the problem. Run the following command using OpenSSL: pkcs12 -info -in filename.pfx -noout If the encryption algorithm(s) are not in this list. then the algorithm(s) are not FIPS-compliant.

Change algorithm

The solution is to configure the certificate and key to use a FIPS-compliant algorithm, any compliant algorithm will work but we'll use PBE-SHA1-3DES as an example for this manual. First, you'll need to convert your .pfx to a .pem file using OpenSSL. Run the following command: pkcs12 -in filename.pfx -out filename.pem

Now that you have a .pem file you can generate a new .pfx file with a different, FIPS-compliant algorithm. Run the following command: pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in file.pem -out file.pfx

The newly generated .pfx file now uses a FIPS-compliant algorithm.


Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up