• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

pfx password

December 1, 2022 by Mister PKI Leave a Comment

A pfx password protects your private key stored in your keystore. The private key in the keystore also has a password and its password should be the same as the pfx keystore password. When creating the keystore and protecting it with a password the passwords will originally match. The place to be careful is when changing the key password by itself. The passwords can then get out of sync, essentially corrupting the keystore. While it can still be managed with OpenSSL and the Java keytool, applications using it will not be able to because the keystore will be decrypted but the private key will not be.

When importing a pfx keystore into the Windows certificate store you will be prompted for a password. If by chance you receive an error message stating “The password you entered is incorrect” when importing the pfx into Windows, first check that the entered password is indeed correct. If you have verified the keystore password is correct with OpenSSL, keytool, or a different version of Windows then you may be attempting to install a keystore generated with OpenSSL v3.0 into an older version of Windows that doesn’t support the latest encryption and hash algorithms. Specifically, Windows Server 2012 and Windows Server 2016 will not support keystores generated with OpenSSL 3. Older versions of Windows than that listed, well… you need to upgrade now.

Fix invalid pfx password

Fixes for importing pfx files into old versions of Windows
Use OpenSSL 1.1.1

Using OpenSSL v1.1.1 you can create the pfx keystore as usual. We have extension documentation on pkcs12 commands. For convenience here is the command to create a pfx keystore from an existing key pair. If you have a different use case, our pkcs12 documentation will provide those examples. Of course if we do not have the exact example you need let us know in the comments.

openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.pfx

Alternatively, use the -legacy option with OpenSSL 3.

openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.pfx -legacy

The -legacy option will use legacy encryption and hashing algorithms which are supported in older versions of Windows.
For more details on the -legacy option, run the following command and look for -legacy in the output.

openssl pkcs12 -help

The output of the command for -legacy is the following:

Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs

Conclusion

In conclusion this article has explained the use of a pfx password. In addition it has demonstrated how to create a pfx keystore that is usable by older versions of Windows including using the -legacy option in OpenSSL v3 and falling back to OpenSSL v1.1.1.

keytool,  openssl

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • pfx password
  • pkcs12
  • Sendmail vs Postfix – Mail Transfer Agent Comparison
  • Python mock datetime now
  • Python get SSL Certificate

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022