PFX/PKCS#12 Import “The password you entered is incorrect”

When attempting to import a PKCS#12/PFX file into a Windows machine, you receive the error “The password you entered is incorrect”. However, you’re certain that the password is not wrong and the file may even import into other servers OK…..

The problem is with legacy versions of Windows, including Windows Server 2012, 2016 and Windows 10. These versions only support the weaker algorithm (TripleDES-SHA1) for the protection of the PKCS#12 file.

More recent implementations also support AES256-SHA256 and any modern system creating PKCS#12 files will use the stronger implementation, including certdog.

So the position is, certdog is producing PKCS#12 files protected with AES, but your windows version does not recognise this algorithm and defaults to TripleDES, the import fails and your are unable to import your certificate.

---

Workarounds

Your options are:

• Set certdog to revert to legacy (weaker) algorithms for PKCS#12 files
• Use openssl to convert your PKCS#12 from the strong to the weaker algorithms
• Upgrade your systems (to Windows 11 and Server 2019 onwards). But this may not be an immediately practical solution

Instructions on how to implement these options are described here

Note that for any Java application (which certdog is) the algorithms used in this case are dictated by the Java runtime. The PKCS#12 algorithms changed after Java version 8u291. However, this can be overriden by providing the following java property when running java versions greater than 8u291:

-Dkeystore.pkcs12.legacy