The -legacy option is useful and even required when creating a pkcs12 keystore for use in older operating systems and Java versions. This article will primarily focus on the operating system example, and we will defer to keytool specific options when generating keystores to be used in older java versions in another article.
The legacy option loads the legacy provider in the system installed OpenSSL. The default algorithm for certificate encryption is either RC2_CBC or 3DES_CBC. The default algorithm for private key encryption is 3DES_CBC.
If the legacy option is not provided, then the default algorithm for certificate and private keys is AES_256_CBC with PBKDF2 for key derivation.
If you have generated a pkcs12 keystore (or pfx when working in Windows) and cannot import the certificate into your Windows certificate store because of an invalid password, it is likely because the version of Windows server or desktop you are using does not support the newer versions. Obviously you should first verify you are using the correct password, but if you are certain you are then it’s likely because the keystore was generated with OpenSSL 3. As of this writing from our experience, Windows Server 2019 or greater is required to use a keystore generated by OpenSSL v3.x.
openssl pkcs12 legacy examples
To print info about a pkcs12 keystore in legacy mode:
openssl pkcs12 -in example.p12 -info -noout -legacy
To create a pkcs12 keystore from an existing certificate and private key in legacy mode:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out example.p12 -legacy
By using the legacy option in the openssl pkcs12 utility you can generate a keystore that can be imported into older versions of Windows certificate stores as well as older software that does not support newer cryptographic algorithms. Let us know in the comments if you have any questions or would like to see more examples of the legacy option in OpenSSL.
If working with older versions of Java, see our article on creating keystores with legacy cryptography in Java.