Importing a pkcs12 to windows server 2016?

Mateusz Dobrzański 21

Hi everyone!

I got a problem importing a pkcs12 cert to my windows server 2016.
I generated the cert using java keytool, but when I trying to import a newly generated cert I got the message "The password you entered is incorrect". It is weird because I copy-paste the password, also when I trying to import this certificate to other windows (e.g. to Windows 10) everything works fine.
Where I should find any clues?

Regards,
Mat

Accepted answer

Gary Nebbett 5,721 Reputation points

2021-08-18T13:33:28.437+00:00

Hello Mat,

For each of your PKCS #12 files, you could try the following: issue the command certutil -asn <filename> | findstr /i "pb aes des sha" (replacing "<filename>" with the name of the PKCS #12 file).

If the output starts like:

| | | | | ; 1.2.840.113549.1.12.1.3 szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES

then it should be possible to import the PKCS #12 file into Windows 2016.

If the output starts like:

| | | | | ; 1.2.840.113549.1.5.13 szOID_PKCS_5_PBES2
| | | | | | ; 1.2.840.113549.1.5.12 szOID_PKCS_5_PBKDF2
| | | | | ; 2.16.840.1.101.3.4.1.42 aes256

or similar, then the PKCS #12 file probably cannot be imported into Windows 2016 using the built-in Windows 2016 tools. You will have to recreate the PKCS #12 file using TripleDES and SHA1.

Gary
Please sign in to rate this answer.

1 person found this answer helpful.
Mateusz Dobrzański 21 Reputation points

2021-08-18T14:49:07.883+00:00

Unfortunately my certificate begins with:
| | | | | ; 1.2.840.113549.1.5.13 szOID_PKCS_5_PBES2
| | | | | | ; 1.2.840.113549.1.5.12 szOID_PKCS_5_PBKDF2
| | | | | ; 2.16.840.1.101.3.4.1.42 aes256

So, I must now find a way how to convert the certificate...

Gary Nebbett 5,721 Reputation points

2021-08-18T15:02:12.617+00:00

Hello Mat,

Your PKCS #12 file probably contains a certificate and its private key. You don't need to convert the certificate (nor its private key).

One of the many things that you could do is to import the PKCS #12 file on a Windows 10 system and then export the certificate plus key again, this time choosing TripleDES+SHA1 protection for the resulting PKCS #12 file.

Gary

Mateusz Dobrzański 21 Reputation points

2021-08-18T18:06:01.123+00:00

Hello Gary,

Thank you so much! Tomorrow I'll check if communication works.
I convert my certificate by this article, but next time I will use your idea to export from other windows machine
Sign in to comment

1 additional answer

Gary Nebbett 5,721 Reputation points

2021-08-18T10:36:39.733+00:00

Hello Mat,

The error message might be "misleading". The problem is probably the cryptographic algorithms used by the PKCS #12 file. The file that you have might be using algorithms that were not supported nn Windows 2016.

Gary
Please sign in to rate this answer.
Mateusz Dobrzański 21 Reputation points

2021-08-18T10:50:45.423+00:00

Hello Gary,

I tried to use SHA-256 with RSA (ver3), but other PKCSs also won't import.

Gary Nebbett 5,721 Reputation points

2021-08-18T11:30:38.903+00:00

Hello Mat,

I am a bit confused about your last message. What do you mean by "RSA (ver3)"? The algorithms needed by a password protected PKCS #12 file are a symmetric encryption algorithm (e.g. AES-256) and a hash algorithm (e.g. SHA-256).

What do you mean by "other PKCSs also won't import"? Does that mean that you can't import any PKCS #12 files on your Windows 2016 system?

Gary

Mateusz Dobrzański 21 Reputation points

2021-08-18T12:05:53.83+00:00

Dear Gary,

"Does that mean that you can't import any PKCS #12 files on your Windows 2016 system?" - yes, it looks like I have that problem and I don't know where to find a clue.

I used keytool to generate a PKCS#12, next, I choose RSA with 2048 key size, I fill the required fields like CN, etc. And this cert won't import on windows server 2016 machine. For the test, I tried to generate another cert using another tool without a password but I still got that confusing message password is incorrect...
Sign in to comment

Share via

Importing a pkcs12 to windows server 2016?

1 additional answer