Import pfx to IIS Windows server 2016 - The specified network password is not correct

Question

I am using openssl to convert the cert bought from Godaddy for using IIS Windows 2016. Command I used to convert is the following, I press Enter for no password. I also tried input a simple and complex password, still got the same error.

openssl pkcs12 -export -out website.pfx -inkey private.key -in a01f36fe692456.crt -certfile gd_bundle-g2-g1.crt

It comes with "The specified network password is not correct" when importing to IIS on Windows Server 2016, to troubleshoot, I tried the same import, but it can import to Windows server 2019. Wondering how to generate a pfx file for Windows 2016, IIS v10? Thanks

Answer 1

I tried to import my .pfx file and got the same error on Windows Server 2016, IIS.

I had to import it on my personal PC (W11 Pro) and then export it with private key (to create .pfx) choosing legacy encryption TripleDES-SHA1 from the list.

You can do it with OpenSSL as well while creating .pfx file using the -legacy attribute.

Answer 2

i faced this issue on windows server 2016. i tried below command to export new PFX file.

openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -legacy -out domain.com.pfx -inkey domain.decrypted.key -in your.crt

Answer 3

In my case it was the cryto algorithm of the PFX file itself. Windows tells us that the password won't work because it doesn't use the right algorithm.

You just add the -legacy option to openssl to make it use the previous algorithm.

openssl pkcs12 -export -legacy -out website.pfx ...

I found the solution in the openssl-pkcs12 documentation

Answer 4

This works for me to but this is not at all a correct solution i recon... 3des-sha1 have been hacked for ages...

Taking a look at the pfx files vs. created with this openssl command:

MAC: sha1, Iteration 2048 MAC length: 20, salt length: 8 PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048 Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Orgininal pfx which doesn't work:

MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256 Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

How can i get the normal crypto with sha256 imported..

Answer 5

I run into the same problem while i was trying to import the pfx file on my server (WS 2016 Standard) and none of the options above worked for me. I even tried to generate the pfx again using the certificate and the private key, but it would still refuse the password.

So i'm adding what worked for me for completness sake.

To be able to import the certificate on the server i had to :

1. Import into my local machine (W10 Enterprise), I marked it as exportable.
2. Exported the pfx from my local machine .
3. Import the exported pfx file in the server (WS 2016 Standard)

It seems to be a compatibility issue with windows but im not sure what issue really is and how the import and export solves it.

Answer 6

I've got it working with IIS using openssl to create the file; It works if you import to your local user certificate store then export it, I compared the exported pfx file to the openssl pfx file using

openssl pkcs12 -in website.pfx -info

The MAC is sha256 on the openssl version, compared to SHA1 on the export version so I added -macalg SHA1 to the openssl command.

The PKCS7 Data for the private key is PBES2, PBKDF2, AES-256-CBC on the openssl version, compared to pbeWithSHA1And3-KeyTripleDES-CBC on the export version so I added -keypbe PBE-SHA1-3DES to the openssl command.

The same for the PKCS7 Encrypted data for the certificates, so I added -certpbe PBE-SHA1-3DES to the openssl command as well.

The final command I ran to get a successful file that will import to IIS is

openssl pkcs12 -macalg SHA1 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -out website.pfx -inkey private.key -in a01f36fe692456.crt -certfile gd_bundle-g2-g1.crt