000011896 - Password incorrect error when importing a PKCS#12 generated by RSA Certificate Manager on Microsoft Internet Explorer

Document created by RSA Customer Support Employee on Jun 9, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000011896
Applies ToRSA Product Set: Certificate Manager
RSA Version/Condition: 6.7
Platform: Microsoft Windows 2003 Server
Platform (Other): Microsoft Internet Explorer
IssuePassword incorrect error when importing a PKCS#12 on Microsoft Internet Explorer
Attempting to import a PKCS#12 (containing a certificate and the corresponding private key) with correct password shows the following error on Microsoft Internet Explorer:
Certificate Import Wizard
The password you entered is incorrect.
[OK]
CausePKCS#12 generated by RSA Certificate Manager through CA Operations workbench option 'Export to PKCS#12', creates a PEM-formatted PKCS#12 with a header and a footer that looks like the following:
-----BEGIN CERTIFICATE AND KEY-----
MIIJQgIBAzCCCPwGCSqGSIb3DQEHAaDDDO0EggjpMGGG5TcccOEGCSqGSIb3DQHE
BaCCCNIEggjOMIIIyjCCBTYGCyqGSIb34444CgECoIIE7TCCBOkwGwYKKoZIhvNc
QAwBAzANBAhQKeJPs5nU6gIBAQSCBMitmGLFyeU3EXTJ8W86fBFOhQ/J8rsH0V5S
.....
.....
-----END CERTIFICATE AND KEY-----

A PEM-formatted PKCS#12 with header/footer fails to import into Microsoft Internet Explorer.  Internet Explorer accepts DER-encoded PKCS#12 object for importing.
ResolutionFollow the steps below (requires openssl tool) to convert the PEM-formatted PKCS#12 into DER-encoded, and then import into Internet Explorer (see the Notes section below):
  1. Remove header and footer (that look like the following) from PEM-formatted PKCS#12 and save to a file (for examle "myp12.pfx"):
    -----BEGIN CERTIFICATE AND KEY-----
    -----END CERTIFICATE AND KEY-----

  2. Run the following openssl command to convert PEM-formatted PKCS#12 into DER-encoded file:
    openssl base64 -d -a -in myp12.pfx -out myp12inDER.pfx

  3. Now import myp12inDER.pfx into Internet Explorer, which should succeed.
NotesIMPORTANT:  While it is okay in test environments for testing purpose to export a CA PKCS#12 and then import into a browser, this should not be done for production CAs as an exported/imported CA could result in a potential compromise of the CA private key.
The PKCS#12 was generated on RSA Certificate Manager Admin Interface -> CA Operations Workbench -> View a software-based CA -> click on 'Export to PKCS#12' button and provide a password to protect the PKCS#12.
Legacy Article IDa52512

Attachments

    Outcomes