Reflection for Secure IT Gateway - Administrator’s Guide > Reflection Gateway System Administration > Server Certificate Management > Replace the Default Server Certificate > Install a New Server Certificate: PKCS#12 File > Re-encrypt a PKCS#12 file to Use a FIPS-Compliant Algorithm

Re-encrypt a PKCS#12 file to Use a FIPS-Compliant Algorithm

If you configure a Reflection Gateway server to authenticate with a PKCS#12 file, the file must be encrypted with a FIPS-compliant algorithm. If you cannot start the Transfer Client or Gateway Administrator after changing your server certificate, look for the text “Algorithm not allowable in FIPS140 mode” in the server.log file. This indicates that your PKCS#12 package does not use and approved algorithm.

You can use an installed script called reencryptpkcs12.bat to re-encrypt your package with a FIPS-compliant algorithm.

Before you begin

  • You need the PKCS#12 file (*.p12 or *.pfx) containing your CA-signed Reflection Gateway server certificate and private key.

  • You need to know the password that protects this file.

To re-encrypt a PKCS#12 file using a FIPS-approved algorithm

  1. On the computer running the Reflection Transfer Server, open a command window running as an administrator.

  2. Navigate to TransferServer\bin in the Reflection Gateway installation folder. The default location is:

    C:\Program Files\Micro Focus\ReflectionGateway\Gateway\TransferServer\bin

  3. Run the reencryptpkcs12 batch file using the following syntax:

    reencryptpkcs12 non_fips.p12 fips.p12

    Replace non_fips.p12 with the name of your existing file, and fips.p12 with the name you want to give the re-encrypted file. Include full path information if the files are not in the current folder.

  4. Enter passwords when prompted using the same password for the destination and source keystore.

    NOTE:If these passwords don't match, the server will not be able to use the keystore.