Error importing PFX files to older servers


I came across a problem where I needed to import a PFX file to Server 2012 servers, the certificate was generated on a newer server and the PFX was exported which is all good, then when I tried to import it like this:


I then got the error:

The password entered was correct, but Windows was adamant it was incorrect which sounds like a encryption mismatch to me as AES256 is not fully supported on older versions of Windows which is interesting as on the new version you can export as AES256 or TripleDES-SHA1 as below:



This means on the newer OS you need to save this a PFX to a folder and in this instance I called it "newcert.pfx" these are the commands I ran the commands:

openssl pkcs12 -in newcert.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in newcert.pfx -nokeys -out cert.pem

This will leave you with two files key.pem and cert.pem in the folder, then run this command to enable the legacy encryption methodologies:

Legacy is defined as : 

In the legacy mode, the default algorithm for certificate encryption is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled in the build. The default algorithm for private key encryption is 3DES_CBC. If the legacy option is not specified, then the legacy provider is not loaded and the default encryption algorithm for both certificates and private keys is AES_256_CBC with PBKDF2 for key derivation.

openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey key.pem -in cert.pem -out importme.pfx

This will then produce a file called "importme.pfx" than you can then sucesfullyl import into Window Server 2012.

Previous Post Next Post

نموذج الاتصال