Import certificate on windows server 2012 fail

Question

I have a p12 file (RS256), when I open through Certificate Import Wizard on windows 10 and follow steps, windows could read the file with a password, but when it move to windows server 2012 r2 and do the same steps, windows fails to read the file because the password entered is not correct. please help, why I can't import p12 to windows server 2012 r2

Certificate Import Wizard

UPDATE

the p12 file converted from the jks file using keytool on windows 10, I tried to re-convert it on windows server 2012 but still, it can not reads the file because the password is incorrect (I'm pretty sure the password is entered correctly), could you suggest me how to convert jks file to p12 with sha256withRSA correctly that running on windows server 2012 r2?

this command successfully generated but imported fail:

keytool -importkeystore -srckeystore e:\file.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore e:\file.p12 -sigalg RS256
keytool -importkeystore -srckeystore e:\file.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore e:\file.p12 -sigalg sha256withRSA

Answer 1

The most likely reason is that your PFX is internally using new encryption options that were added in Windows 10.

If you run your PFX through an ASN.1 decoder (such as https://lapo.it/asn1js/, or the certutil -asn command) you want to see something like

C:\>certutil -asn sample.pfx
0000: 30 82 0e a9                               ; SEQUENCE (ea9 Bytes)
0004:    02 01                                  ; INTEGER (1 Bytes)
0006:    |  03
0007:    30 82 0e 65                            ; SEQUENCE (e65 Bytes)
000b:    |  06 09                               ; OBJECT_ID (9 Bytes)
000d:    |  |  2a 86 48 86 f7 0d 01 07  01
         |  |     ; 1.2.840.113549.1.7.1 PKCS 7 Data
0016:    |  a0 82 0e 56                         ; OPTIONAL[0] (e56 Bytes)
001a:    |     04 82 0e 52                      ; OCTET_STRING (e52 Bytes)
001e:    |        30 82 0e 4e                   ; SEQUENCE (e4e Bytes)
0022:    |           30 82 06 0f                ; SEQUENCE (60f Bytes)
0026:    |           |  06 09                   ; OBJECT_ID (9 Bytes)
0028:    |           |  |  2a 86 48 86 f7 0d 01 07  01
         |           |  |     ; 1.2.840.113549.1.7.1 PKCS 7 Data
0031:    |           |  a0 82 06 00             ; OPTIONAL[0] (600 Bytes)
0035:    |           |     04 82 05 fc          ; OCTET_STRING (5fc Bytes)
0039:    |           |        30 82 05 f8       ; SEQUENCE (5f8 Bytes)
003d:    |           |           30 82 05 f4    ; SEQUENCE (5f4 Bytes)
0041:    |           |              06 0b       ; OBJECT_ID (b Bytes)
0043:    |           |              |  2a 86 48 86 f7 0d 01 0c  0a 01 02
         |           |              |     ; 1.2.840.113549.1.12.10.1.2 szOID_PKCS_12_PKCS8ShroudedKeyBag
004e:    |           |              a0 82 04 fe ; OPTIONAL[0] (4fe Bytes)
0052:    |           |              |  30 82 04 fa      ; SEQUENCE (4fa Bytes)
0056:    |           |              |     30 1c ; SEQUENCE (1c Bytes)
0058:    |           |              |     |  06 0a      ; OBJECT_ID (a Bytes)
005a:    |           |              |     |  |  2a 86 48 86 f7 0d 01 0c  01 03
         |           |              |     |  |     ; 1.2.840.113549.1.12.1.3 szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES
0064:    |           |              |     |  30 0e      ; SEQUENCE (e Bytes)
0066:    |           |              |     |     04 08   ; OCTET_STRING (8 Bytes)
(it keeps going)

That is, there's a 1.2.840.113549.1.12.10.1.2 (PKCS#12 PKCS8ShroudedKeyBag) which contains an item of 1.2.840.113549.1.12.1.3 (PKCS#12 pbeWithSHA1And3KeyTripleDES).

I'm guessing your PFX instead has a PKCS8ShroudedKeyBag which contains an item of 1.2.840.113549.1.5.13 (Password Based Encryption Scheme 2 / PBES2)... which is first supported on Windows 10.

Answer 2

If the installation with the certmgr.msc fails, then the .p12 file probably cannot be imported into Windows 2012 using the built-in Windows 2012 tools. To check that: "For each of your PKCS #12 files, you could try the following: issue the command certutil -asn | findstr /i "pb aes des sha" (replacing "" with the name of the PKCS #12 file).

If the output starts like:

| | | | | ; 1.2.840.113549.1.12.1.3 szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES

then it should be possible to import the PKCS #12 file into Windows 2016.

If the output starts like:

| | | | | ; 1.2.840.113549.1.5.13 szOID_PKCS_5_PBES2 | | | | | | ; 1.2.840.113549.1.5.12 szOID_PKCS_5_PBKDF2 | | | | | ; 2.16.840.1.101.3.4.1.42 aes256

or similar, then the PKCS #12 file probably cannot be imported into Windows 2016 using the built-in Windows 2016 tools. You will have to recreate the PKCS #12 file using TripleDES and SHA1." - see thread: https://learn.microsoft.com/en-us/answers/questions/518605/importing-a-pkcs12-to-windows-server-2016.html

You have to recreate the .p12 as in: https://kb.globalscape.com/Knowledgebase/11040/Converting-an-Incompatible-PKCS12-Format-File-to-a-Compatible-PKCS12