"The password you entered is incorrect" when importing .pfx files to Windows certificate store

Question

It works fine on Windows 10, but when I try to import the same .pfx file on a Windows server 2012 it fails with the message "The password you entered is incorrect".

I use OpenSSL 3.0.0 to create my certificate, private key and .pfx file. I am certain that I use the correct password.

Is there any reason why I would not be able to import a .pfx file on a Windows server 2012?

Answer 1

Issue I found with the -nomac option is that it allows ANY password while installing because it bypasses the MAC integrity check on the cert - not what I want for a production system.

I tried the -legacy flag, but got "unable to load provider legacy"

Here is what worked for me (installing to Windows Server 2016), while still supporting the expected password behavior and MAC integrity checks:

openssl pkcs12 -export -in cert.cer -inkey cert.key -out cert.pfx -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1

Instead of disabling MAC with -nomac, the -macalg sha1 flag specifies the algorithm instead of using the default

-macalg digest

Specify the MAC digest algorithm. If not included SHA256 will be used.

Answer 2

If you just want to export the key, without having to be an OpenSSL guru, you can just use Keystore explorer: https://keystore-explorer.org/downloads.html

Answer 3

If you can't get it to convert for you, just install the cert in windows and then just export it as TripleDES

Answer 4

I got this issue and I tried to import a PFX that held the private key and public certificate, but it didn't contain the chain. Once I included the full chain for the certificate into the PFX, then the import went fine.

Answer 5

For those who still bang their head against the wall with the same problem. My stupid bank started issuing these AES256 certificates that are password protected. It comes in the form of a .pfx file. As you can guess older versions of Windows (like Windows 7) cannot import that one and the error is confusing too: "password is not correct".

Solution: Import rhe .pfx into a newer version of Windows (Like Windows 10) . This is important. When importing, mark the certificate as exportable. This allows you to export the certificate afterwards with the older Triple-DES-SHA1 algorithm or/and with no password to protect the key. Then import in your older system. Cheers.

Answer 6

Stumbled on the same issue trying to generate a .pfx and import it into Windows Server 2012 R2, and the other answers and comments involving -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES and/or -nomac didn't work for me.

What finally worked for me is to use the -legacy option.

From the manpage:

-legacy

Use legacy mode of operation and automatically load the legacy provider. If OpenSSL is not installed system-wide, it is necessary to also use, for example, "-provider-path ./providers" or to set the environment variable OPENSSL_MODULES to point to the directory where the providers can be found.

In the legacy mode, the default algorithm for certificate encryption is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled in the build. The default algorithm for private key encryption is 3DES_CBC. If the legacy option is not specified, then the legacy provider is not loaded and the default encryption algorithm for both certificates and private keys is AES_256_CBC with PBKDF2 for key derivation.

Answer 7

Also worth noting that you will get this error if you attempt to import a .pfx file into a Windows Server that has not been 'Activated'.

Once the Server is Activated it will import fine.

Answer 8

I ran into the same problem with OpenSSL 3 and Windows Server 2012 R2. However, I eventually put together the correct combination of parameters. This seems to work:

openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey contoso.com.key -in contoso.com.crt -out contoso.com-legacy.pfx

Answer 9

It turns out that OpenSSL 3.0.0 uses AES256 as a default to encrypt the private key when exporting a .pfx file.

AES256 is apparently not supported on older versions of Windows according to this forum post.

When I tried to create my .pfx file with OpenSSL 1.1.1 it worked fine. This is apparently because OpenSSL 1.1.1 uses trippleDES as a default to encrypt the private key when exporting .pfx files.