0

We have a powershell script which is used to call an API by establishing connection over SSL. The certificates are placed along powershell script to be used by it. And the password is mentioned in an ini file which script reads. It was working fine earlier but suddenly it has started giving below error:

Exception calling "Import" with "3" argument(s): "The specified network password is not correct. " At C:\Users\Administrator\Desktop\NewInstallIssue\Download\win\installCDWindows.ps1:70 char:3 + $cert.Import($CertificatePath, $KeyStore_Password ,'DefaultKeySet') + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], ParentContainsErrorRecordException + FullyQualifiedErrorId : CryptographicException

The part of powershell script throwing this error is:

    $cert= New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
    $CertificatePath = Join-Path -Path $PSScriptRoot -ChildPath 'cdCert.pfx'
    $cert.Import($CertificatePath, $KeyStore_Password ,'DefaultKeySet')

$KeyStore_Password contains correct password as I tested what is stored in this variable just before $cert.Import using echo.

Sahil
  • 53
  • 8
  • Check certificate and see if it has expired. Error says CryptographicException. – jdweng Jan 06 '23 at 11:18
  • I tried to check the cdCert.pfx file with below command: CertUtil -dump "cdCert.pfx" It is giving below error: Cannot decode object: The specified network password is not correct. 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD) CertUtil: -dump command FAILED: 0x80070056 (WIN32: 86 ERROR_INVALID_PASSWORD) CertUtil: The specified network password is not correct. – Sahil Jan 06 '23 at 11:51
  • Did you try hardcoding the password to see if it really is correct or not? If that works, double-check what is in your variable `$KeyStore_Password` – Theo Jan 06 '23 at 13:54
  • Where did certificate come from? Maybe the way you download was wrong. It is binary. So encoding or downloading with FTP in text mode may corrupt. – jdweng Jan 06 '23 at 14:38
  • @jdweng , I am able to execute below command on the cdCert.pfx file: `openssl pkcs12 -in cdCert.pfx -out temp.pem ` with the same password and then I executed below command on temp.pem: `openssl x509 -in temp.pem -noout -enddate` which gave me the output as **notAfter=Feb 5 10:41:16 2023 GMT** One thing I observed that expiry date is just one month after. Does that affect ? – Sahil Jan 07 '23 at 01:26
  • Very interestingly, I am able to execute **openssl command** on cdCert.pfx as mentioned above, however when I am trying to **import the certificate in my windows VM using "Certificate Import Wizard" with same password**, it is saying "The password you entered is not correct" – Sahil Jan 07 '23 at 01:39
  • Another thing I discovered that **I am able to import the certificate(cdCert.pfx) in Windows 10 successfully**. But on windows 2012 server, not able to do so as mentioned above, getting password error. Below stackoverflow thread explains this, [link](https://stackoverflow.com/questions/69343254/the-password-you-entered-is-incorrect-when-importing-pfx-files-to-windows-cer). This might answer my problem as I am using Windows Server 2012. But my next problem is that **I am generating pfx certificate using java code using Bouncycastle and java.security package.** How do I handle this ? – Sahil Jan 07 '23 at 02:48
  • Window 2012 isn't supporting the encryption mode used in the certificate. So the link you provided is the answer. – jdweng Jan 07 '23 at 11:13
  • The cypher mode may not be enabled automatically. See : https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-8-1 – jdweng Jan 07 '23 at 16:04

0 Answers0