Import pfx to IIS Windows server 2016 - The specified network password is not correct

Question

I am using openssl to convert the cert bought from Godaddy for using IIS Windows 2016. Command I used to convert is the following, I press Enter for no password. I also tried input a simple and complex password, still got the same error.

openssl pkcs12 -export -out website.pfx -inkey private.key -in a01f36fe692456.crt -certfile gd_bundle-g2-g1.crt

It comes with "The specified network password is not correct" when importing to IIS on Windows Server 2016, to troubleshoot, I tried the same import, but it can import to Windows server 2019. Wondering how to generate a pfx file for Windows 2016, IIS v10? Thanks

Answer 1

I've got it working with IIS using openssl to create the file; It works if you import to your local user certificate store then export it, I compared the exported pfx file to the openssl pfx file using

openssl pkcs12 -in website.pfx -info

The MAC is sha256 on the openssl version, compared to SHA1 on the export version so I added -macalg SHA1 to the openssl command.

The PKCS7 Data for the private key is PBES2, PBKDF2, AES-256-CBC on the openssl version, compared to pbeWithSHA1And3-KeyTripleDES-CBC on the export version so I added -keypbe PBE-SHA1-3DES to the openssl command.

The same for the PKCS7 Encrypted data for the certificates, so I added -certpbe PBE-SHA1-3DES to the openssl command as well.

The final command I ran to get a successful file that will import to IIS is

openssl pkcs12 -macalg SHA1 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -out website.pfx -inkey private.key -in a01f36fe692456.crt -certfile gd_bundle-g2-g1.crt

Answer 2

In my case it was the cryto algorithm of the PFX file itself. Windows tells us that the password won't work because it doesn't use the right algorithm.

You just add the -legacy option to openssl to make it use the previous algorithm.

openssl pkcs12 -export -legacy -out website.pfx ...

I found the solution in the openssl-pkcs12 documentation