A pfx password protects your private key stored in your keystore. The private key in the keystore also has a password and its password should be the same as the pfx keystore password. When creating the keystore and protecting it with a password the passwords will originally match. The place to be careful is when changing the key password by itself. The passwords can then get out of sync, essentially corrupting the keystore. While it can still be managed with OpenSSL and the Java keytool, applications using it will not be able to because the keystore will be decrypted but the private key will not be.
When importing a pfx keystore into the Windows certificate store you will be prompted for a password. If by chance you receive an error message stating “The password you entered is incorrect” when importing the pfx into Windows, first check that the entered password is indeed correct. If you have verified the keystore password is correct with OpenSSL, keytool, or a different version of Windows then you may be attempting to install a keystore generated with OpenSSL v3.0 into an older version of Windows that doesn’t support the latest encryption and hash algorithms. Specifically, Windows Server 2012 and Windows Server 2016 will not support keystores generated with OpenSSL 3. Older versions of Windows than that listed, well… you need to upgrade now.
Fix invalid pfx password
Fixes for importing pfx files into old versions of Windows
Use OpenSSL 1.1.1
Using OpenSSL v1.1.1 you can create the pfx keystore as usual. We have extension documentation on pkcs12 commands. For convenience here is the command to create a pfx keystore from an existing key pair. If you have a different use case, our pkcs12 documentation will provide those examples. Of course if we do not have the exact example you need let us know in the comments.
openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.pfx
Alternatively, use the -legacy option with OpenSSL 3.
openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.pfx -legacy
The -legacy option will use legacy encryption and hashing algorithms which are supported in older versions of Windows.
For more details on the -legacy option, run the following command and look for -legacy in the output.
openssl pkcs12 -help
The output of the command for -legacy is the following:
Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs
In conclusion this article has explained the use of a pfx password. In addition it has demonstrated how to create a pfx keystore that is usable by older versions of Windows including using the -legacy option in OpenSSL v3 and falling back to OpenSSL v1.1.1.
Leave a Reply