Password incorrect error when importing a PKCS#12 generated by RSA Certificate Manager on Microsoft Internet Explorer
2 years ago
Originally Published: 2010-10-07
Article Number
000044566
Applies To
RSA Product Set: Certificate Manager
RSA Version/Condition: 6.7
Platform: Microsoft Windows 2003 Server
Platform (Other): Microsoft Internet Explorer
Issue
Password incorrect error when importing a PKCS#12 on Microsoft Internet Explorer

Attempting to import a PKCS#12 (containing a certificate and the corresponding private key) with correct password shows the following error on Microsoft Internet Explorer: 
Certificate Import Wizard
The password you entered is incorrect.
[OK]
Cause
PKCS#12 generated by RSA Certificate Manager through CA Operations workbench option 'Export to PKCS#12', creates a PEM-formatted PKCS#12 with a header and a footer that looks like the following: 
-----BEGIN CERTIFICATE AND KEY-----
MIIJQgIBAzCCCPwGCSqGSIb3DQEHAaDDDO0EggjpMGGG5TcccOEGCSqGSIb3DQHE
BaCCCNIEggjOMIIIyjCCBTYGCyqGSIb34444CgECoIIE7TCCBOkwGwYKKoZIhvNc
QAwBAzANBAhQKeJPs5nU6gIBAQSCBMitmGLFyeU3EXTJ8W86fBFOhQ/J8rsH0V5S
.....
.....
-----END CERTIFICATE AND KEY-----

A PEM-formatted PKCS#12 with header/footer fails to import into Microsoft Internet Explorer.  Internet Explorer accepts DER-encoded PKCS#12 object for importing.
Resolution
Follow the steps below (requires openssl tool) to convert the PEM-formatted PKCS#12 into DER-encoded, and then import into Internet Explorer (see the Notes section below):
  1. Remove header and footer (that look like the following) from PEM-formatted PKCS#12 and save to a file (for examle "myp12.pfx"): 
    -----BEGIN CERTIFICATE AND KEY-----
-----END CERTIFICATE AND KEY-----
  2. Run the following openssl command to convert PEM-formatted PKCS#12 into DER-encoded file: 
    openssl base64 -d -a -in myp12.pfx -out myp12inDER.pfx
  3. Now import myp12inDER.pfx into Internet Explorer, which should succeed.
Notes
IMPORTANT:  While it is okay in test environments for testing purpose to export a CA PKCS#12 and then import into a browser, this should not be done for production CAs as an exported/imported CA could result in a potential compromise of the CA private key.

The PKCS#12 was generated on RSA Certificate Manager Admin Interface -> CA Operations Workbench -> View a software-based CA -> click on 'Export to PKCS#12' button and provide a password to protect the PKCS#12.

Related Articles

Trending Articles

Don't see what you're looking for?