diff --git a/SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch b/SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch
new file mode 100644
index 0000000..7f90105
--- /dev/null
+++ b/SOURCES/0003-Fix-local-CA-to-work-under-FIPS.patch
@@ -0,0 +1,38 @@
+From 62a6634867db5d9f79b613055b8788136d4cb41d Mon Sep 17 00:00:00 2001
+From: Ade Lee <alee@redhat.com>
+Date: Wed, 14 Apr 2021 15:34:48 -0400
+Subject: [PATCH] Fix local CA to work under FIPS
+
+The PKCS12 file used for the local CA fails to be created because
+it uses default OpenSSL encryption algorithms that are disallowed
+under FIPS.  This patch simply updates the PKCS12_create() command
+to use allowed encryption algorithms.
+---
+ src/local.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/local.c b/src/local.c
+index 92bea144..2f50ac77 100644
+--- a/src/local.c
++++ b/src/local.c
+@@ -39,6 +39,7 @@
+ 
+ #include <openssl/asn1.h>
+ #include <openssl/err.h>
++#include <openssl/obj_mac.h>
+ #include <openssl/pem.h>
+ #include <openssl/pkcs12.h>
+ #include <openssl/rand.h>
+@@ -372,7 +373,8 @@ get_signer_info(void *parent, char *localdir, X509 ***roots,
+ 			return CM_SUBMIT_STATUS_UNREACHABLE;
+ 		}
+ 		p12 = PKCS12_create(NULL, CONSTANTCN, *signer_key, *signer_cert,
+-				    cas, 0, 0, 0, 0, 0);
++				    cas, NID_aes_128_cbc, NID_aes_128_cbc,
++				    0, 0, 0);
+ 		if (p12 != NULL) {
+ 			if (!i2d_PKCS12_fp(fp, p12)) {
+ 				fclose(fp);
+-- 
+2.26.3
+
diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec
index 69eac18..a0652ad 100644
--- a/SPECS/certmonger.spec
+++ b/SPECS/certmonger.spec
@@ -11,7 +11,7 @@
 
 Name:		certmonger
 Version:	0.79.13
-Release:	2%{?dist}
+Release:	3%{?dist}
 Summary:	Certificate status monitor and PKI enrollment client
 
 Group:		System Environment/Daemons
@@ -21,6 +21,7 @@ Source0:	http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
 
 Patch0001:	0001-Don-t-run-the-002-keygen-tests-when-root.patch
 Patch0002:	0002-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
+Patch0003:	0003-Fix-local-CA-to-work-under-FIPS.patch
 
 BuildRequires:	autoconf
 BuildRequires:	automake
@@ -235,6 +236,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Apr 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-3
+- Fix local CA to work under FIPS (#1950132)
+
 * Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2
 - Rebuild with xmlrpc-c support enabled (#1687698)