Login/Register
"The password you entered is incorrect" when importing .pfx files to Windows certificate store
Asked Answered
Solved opensslcertificatewindows-server-2012
D

8

54

It works fine on Windows 10, but when I try to import the same .pfx file on a Windows server 2012 it fails with the message "The password you entered is incorrect".

I use OpenSSL 3.0.0 to create my certificate, private key and .pfx file. I am certain that I use the correct password.

Is there any reason why I would not be able to import a .pfx file on a Windows server 2012?

Dunaj answered 27/9, 2021 at 8:14 Comment(1)
Literally wasted hours on this issue, good to find confirmation.Humankind
D
33

It turns out that OpenSSL 3.0.0 uses AES256 as a default to encrypt the private key when exporting a .pfx file.

AES256 is apparently not supported on older versions of Windows according to this forum post.

When I tried to create my .pfx file with OpenSSL 1.1.1 it worked fine. This is apparently because OpenSSL 1.1.1 uses trippleDES as a default to encrypt the private key when exporting .pfx files.

Dunaj answered 27/9, 2021 at 8:28 Comment(4)
Have you tried the argument -v1 "PBE-SHA1-3DES"?Stonedeaf
I tried the command openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -out ca.pfx -inkey ca.key -in ca.crt (as I couldn't get the "-v1" option to work), but it still didn't work. But I fixed the issue using OpenSSL 1.1.1 anyway.Dunaj
Good to know you have a solution. Iyhink to get it to work with newer version the -nomaciter argument is missing.Stonedeaf
Nit: AES itself including AES256 for normal encryption such as in SSL/TLS is supported since Vista. What is not supported is password-based AES used in PKCS12/PFX. @DanielFisherlennybacon: -v1 and -v2 are only options for openssl pkcs8 -tokp8 not for pkcs12 -export. Similarly pkcs8 (since 1.1.0) supports scrypt but pkcs12 does not.Magpie
C
99

I ran into the same problem with OpenSSL 3 and Windows Server 2012 R2. However, I eventually put together the correct combination of parameters. This seems to work:

openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey contoso.com.key -in contoso.com.crt -out contoso.com-legacy.pfx
Cephalonia answered 15/12, 2021 at 20:23 Comment(8)
Same issue here with fully patched Windows 2016 - still supported my a$$! I miss the old MSRelativistic
@Relativistic I empathize with your frustration but the OpenSSL team made this decision. Microsoft doesn't control OpenSSL and likely wasn't made aware of the change.Cephalonia
FYI this command works while exporting PKCS12 from OpenSSL 3 to Android for RADIUS purpose, otherwise "incorrect password" always shownBracketing
Excelent, Work for me!Sensuous
With the addition of -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac it worked on Windows for me. -nomac is important. I overlooked it first. Without it, I kept getting incorrect password error.Glomerulonephritis
This fixed my issue on Windows Server 2016. Thanks!Bentley
Worked for me in Windows Server 2016 standardIrairacund
Worked for me in Windows Server 2016. Thanks !!!Posticous
D
33

It turns out that OpenSSL 3.0.0 uses AES256 as a default to encrypt the private key when exporting a .pfx file.

AES256 is apparently not supported on older versions of Windows according to this forum post.

When I tried to create my .pfx file with OpenSSL 1.1.1 it worked fine. This is apparently because OpenSSL 1.1.1 uses trippleDES as a default to encrypt the private key when exporting .pfx files.

Dunaj answered 27/9, 2021 at 8:28 Comment(4)
Have you tried the argument -v1 "PBE-SHA1-3DES"?Stonedeaf
I tried the command openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -out ca.pfx -inkey ca.key -in ca.crt (as I couldn't get the "-v1" option to work), but it still didn't work. But I fixed the issue using OpenSSL 1.1.1 anyway.Dunaj
Good to know you have a solution. Iyhink to get it to work with newer version the -nomaciter argument is missing.Stonedeaf
Nit: AES itself including AES256 for normal encryption such as in SSL/TLS is supported since Vista. What is not supported is password-based AES used in PKCS12/PFX. @DanielFisherlennybacon: -v1 and -v2 are only options for openssl pkcs8 -tokp8 not for pkcs12 -export. Similarly pkcs8 (since 1.1.0) supports scrypt but pkcs12 does not.Magpie
P
27

Stumbled on the same issue trying to generate a .pfx and import it into Windows Server 2012 R2, and the other answers and comments involving -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES and/or -nomac didn't work for me.

What finally worked for me is to use the -legacy option.

From the manpage:

-legacy

Use legacy mode of operation and automatically load the legacy provider. If OpenSSL is not installed system-wide, it is necessary to also use, for example, "-provider-path ./providers" or to set the environment variable OPENSSL_MODULES to point to the directory where the providers can be found.

In the legacy mode, the default algorithm for certificate encryption is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled in the build. The default algorithm for private key encryption is 3DES_CBC. If the legacy option is not specified, then the legacy provider is not loaded and the default encryption algorithm for both certificates and private keys is AES_256_CBC with PBKDF2 for key derivation.

Poulard answered 21/6, 2022 at 22:26 Comment(4)
Finally a solution: answers involving -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES and -nomac solved the problem of an incorrect password for me, but imports were still not succesfull on all Windows machines. The -legacy option solved the issue for me. Thank you!Wordsworth
The legacy option worked great for me.Mccarley
@user2587105,@Wordsworth can you provide sample command with legacy option, i am facing same issue while importing .pfx certificate in window serverExothermic
I get "unable to load provider legacy"Himeji
A
8

For those who still bang their head against the wall with the same problem. My stupid bank started issuing these AES256 certificates that are password protected. It comes in the form of a .pfx file. As you can guess older versions of Windows (like Windows 7) cannot import that one and the error is confusing too: "password is not correct".

Solution: Import rhe .pfx into a newer version of Windows (Like Windows 10) . This is important. When importing, mark the certificate as exportable. This allows you to export the certificate afterwards with the older Triple-DES-SHA1 algorithm or/and with no password to protect the key. Then import in your older system. Cheers.

A1 answered 17/7, 2022 at 20:43 Comment(0)
I
2

Also worth noting that you will get this error if you attempt to import a .pfx file into a Windows Server that has not been 'Activated'.

Once the Server is Activated it will import fine.

Impresario answered 17/5, 2022 at 10:52 Comment(2)
Never knew that! interesting. didnt upvout because than I would have to verify it's true - sorry!Sara
What do you mean server needs to be activated?Creatinine
D
2

I got this issue and I tried to import a PFX that held the private key and public certificate, but it didn't contain the chain. Once I included the full chain for the certificate into the PFX, then the import went fine.

Divinize answered 12/1, 2023 at 14:37 Comment(0)
I
1

If you can't get it to convert for you, just install the cert in windows and then just export it as TripleDES

Inutility answered 13/4, 2023 at 14:40 Comment(2)
leave this as a comment plsLivengood
Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.Polemoniaceous
M
0

If you just want to export the key, without having to be an OpenSSL guru, you can just use Keystore explorer: https://keystore-explorer.org/downloads.html

Mccarley answered 29/9, 2023 at 11:39 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.