It works fine on Windows 10, but when I try to import the same .pfx file on a Windows server 2012 it fails with the message "The password you entered is incorrect". I use OpenSSL 3.0.0 to create my certificate, private key and .pfx file. I am certain that I use the correct password. Is there any reason why I would not be able to import a .pfx file on a Windows server 2012?
FluffyBike asked Sep 27, 2021 at 8:14 FluffyBike FluffyBike 1,832 3 3 gold badges 13 13 silver badges 26 26 bronze badges Literally wasted hours on this issue, good to find confirmation. Commented Mar 4, 2022 at 20:35I ran into the same problem with OpenSSL 3 and Windows Server 2012 R2. However, I eventually put together the correct combination of parameters. This seems to work:
openssl pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -inkey contoso.com.key -in contoso.com.crt -out contoso.com-legacy.pfx @Jaans I empathize with your frustration but the OpenSSL team made this decision. Microsoft doesn't control OpenSSL and likely wasn't made aware of the change.
Commented Mar 17, 2022 at 13:44With the addition of -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac it worked on Windows for me. -nomac is important. I overlooked it first. Without it, I kept getting incorrect password error.
Commented Jan 19, 2023 at 15:35 This fixed my issue on Windows Server 2016. Thanks! Commented Sep 26, 2023 at 18:06 Worked for me in Windows Server 2016 standard Commented Oct 17, 2023 at 16:34It turns out that OpenSSL 3.0.0 uses AES256 as a default to encrypt the private key when exporting a .pfx file.
AES256 is apparently not supported on older versions of Windows according to this forum post.
When I tried to create my .pfx file with OpenSSL 1.1.1 it worked fine. This is apparently because OpenSSL 1.1.1 uses trippleDES as a default to encrypt the private key when exporting .pfx files.
answered Sep 27, 2021 at 8:28 FluffyBike FluffyBike 1,832 3 3 gold badges 13 13 silver badges 26 26 bronze badges Have you tried the argument -v1 "PBE-SHA1-3DES" ? Commented Sep 27, 2021 at 10:00I tried the command openssl pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -out ca.pfx -inkey ca.key -in ca.crt (as I couldn't get the "-v1" option to work), but it still didn't work. But I fixed the issue using OpenSSL 1.1.1 anyway.
Commented Sep 27, 2021 at 10:58Good to know you have a solution. Iyhink to get it to work with newer version the -nomaciter argument is missing.
Commented Sep 27, 2021 at 11:08Nit: AES itself including AES256 for normal encryption such as in SSL/TLS is supported since Vista. What is not supported is password-based AES used in PKCS12/PFX. @DanielFisherlennybacon: -v1 and -v2 are only options for openssl pkcs8 -tokp8 not for pkcs12 -export . Similarly pkcs8 (since 1.1.0) supports scrypt but pkcs12 does not.
Commented Mar 30, 2022 at 23:36Stumbled on the same issue trying to generate a .pfx and import it into Windows Server 2012 R2, and the other answers and comments involving -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES and/or -nomac didn't work for me.
What finally worked for me is to use the -legacy option.
From the manpage:
-legacy
Use legacy mode of operation and automatically load the legacy provider. If OpenSSL is not installed system-wide, it is necessary to also use, for example, "-provider-path ./providers" or to set the environment variable OPENSSL_MODULES to point to the directory where the providers can be found.
In the legacy mode, the default algorithm for certificate encryption is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled in the build. The default algorithm for private key encryption is 3DES_CBC. If the legacy option is not specified, then the legacy provider is not loaded and the default encryption algorithm for both certificates and private keys is AES_256_CBC with PBKDF2 for key derivation.