33

It works fine on Windows 10, but when I try to import the same .pfx file on a Windows server 2012 it fails with the message "The password you entered is incorrect".

I use OpenSSL 3.0.0 to create my certificate, private key and .pfx file. I am certain that I use the correct password.

Is there any reason why I would not be able to import a .pfx file on a Windows server 2012?

FluffyBike
  • 825
  • 1
  • 4
  • 17

7 Answers7

61

I ran into the same problem with OpenSSL 3 and Windows Server 2012 R2. However, I eventually put together the correct combination of parameters. This seems to work:

openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey contoso.com.key -in contoso.com.crt -out contoso.com-legacy.pfx
Taylor Buchanan
  • 4,155
  • 1
  • 28
  • 40
  • 2
    Same issue here with fully patched Windows 2016 - still supported my a$$! I miss the old MS – Jaans Mar 15 '22 at 07:16
  • @Jaans I empathize with your frustration but the OpenSSL team made this decision. Microsoft doesn't control OpenSSL and likely wasn't made aware of the change. – Taylor Buchanan Mar 17 '22 at 13:44
  • FYI this command works while exporting PKCS12 from OpenSSL 3 to Android for RADIUS purpose, otherwise "incorrect password" always shown – Thor-x86_128 Apr 10 '22 at 16:02
  • Excelent, Work for me! – Hernan Nov 02 '22 at 18:08
  • 3
    With the addition of `-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac` it worked on Windows for me. `-nomac` is important. I overlooked it first. Without it, I kept getting incorrect password error. – Maddin Jan 19 '23 at 15:35
24

It turns out that OpenSSL 3.0.0 uses AES256 as a default to encrypt the private key when exporting a .pfx file.

AES256 is apparently not supported on older versions of Windows according to this forum post.

When I tried to create my .pfx file with OpenSSL 1.1.1 it worked fine. This is apparently because OpenSSL 1.1.1 uses trippleDES as a default to encrypt the private key when exporting .pfx files.

FluffyBike
  • 825
  • 1
  • 4
  • 17
  • Have you tried the argument `-v1 "PBE-SHA1-3DES"`? – Daniel Fisher lennybacon Sep 27 '21 at 10:00
  • 2
    I tried the command `openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -out ca.pfx -inkey ca.key -in ca.crt` (as I couldn't get the "-v1" option to work), but it still didn't work. But I fixed the issue using OpenSSL 1.1.1 anyway. – FluffyBike Sep 27 '21 at 10:58
  • Good to know you have a solution. Iyhink to get it to work with newer version the `-nomaciter` argument is missing. – Daniel Fisher lennybacon Sep 27 '21 at 11:08
  • Nit: AES itself including AES256 for normal encryption such as in SSL/TLS is supported since Vista. What is not supported is _password-based_ AES used in PKCS12/PFX. @DanielFisherlennybacon: `-v1` and `-v2` are only options for `openssl pkcs8 -tokp8` not for `pkcs12 -export`. Similarly `pkcs8` (since 1.1.0) supports `scrypt` but `pkcs12` does not. – dave_thompson_085 Mar 30 '22 at 23:36
11

Stumbled on the same issue trying to generate a .pfx and import it into Windows Server 2012 R2, and the other answers and comments involving -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES and/or -nomac didn't work for me.

What finally worked for me is to use the -legacy option.

From the manpage:

-legacy

Use legacy mode of operation and automatically load the legacy provider. If OpenSSL is not installed system-wide, it is necessary to also use, for example, "-provider-path ./providers" or to set the environment variable OPENSSL_MODULES to point to the directory where the providers can be found.

In the legacy mode, the default algorithm for certificate encryption is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled in the build. The default algorithm for private key encryption is 3DES_CBC. If the legacy option is not specified, then the legacy provider is not loaded and the default encryption algorithm for both certificates and private keys is AES_256_CBC with PBKDF2 for key derivation.

jcaron
  • 17,302
  • 6
  • 32
  • 46
  • 2
    Finally a solution: answers involving `-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES` and `-nomac` solved the problem of an incorrect password for me, but imports were still not succesfull on all Windows machines. The `-legacy` option solved the issue for me. Thank you! – deacs Jan 24 '23 at 12:43
  • The legacy option worked great for me. – user2587105 Apr 05 '23 at 15:21
3

For those who still bang their head against the wall with the same problem. My stupid bank started issuing these AES256 certificates that are password protected. It comes in the form of a .pfx file. As you can guess older versions of Windows (like Windows 7) cannot import that one and the error is confusing too: "password is not correct".

Solution: Import rhe .pfx into a newer version of Windows (Like Windows 10) . This is important. When importing, mark the certificate as exportable. This allows you to export the certificate afterwards with the older Triple-DES-SHA1 algorithm or/and with no password to protect the key. Then import in your older system. Cheers.

sys7em
  • 51
  • 1
1

Also worth noting that you will get this error if you attempt to import a .pfx file into a Windows Server that has not been 'Activated'.

Once the Server is Activated it will import fine.

nsread
  • 19
  • 1
1

I got this issue and I tried to import a PFX that held the private key and public certificate, but it didn't contain the chain. Once I included the full chain for the certificate into the PFX, then the import went fine.

Ramon de Klein
  • 5,172
  • 2
  • 41
  • 64
1

If you can't get it to convert for you, just install the cert in windows and then just export it as TripleDES

Jeff Keller
  • 11
  • 1
  • leave this as a comment pls – gatsbyz Apr 18 '23 at 23:57
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Apr 18 '23 at 23:57