Exporting a Certificate to PFX for Use on Older Windows Servers
When importing a PFX file to a server, you may encounter an issue where the server does not accept the password you chose for the PFX. This problem may be caused by encrypting the password with an algorithm that is too strong and unsupported by the server. However, we have a solution.
Signs of the Problem
When importing a certificate from a PFX created in SSLmarket with your own password, you encounter that the target system rejects the password as invalid. This occurs if an encryption scheme was used for the password that older systems do not fully support.
Cause of the Problem
The compatibility problem of PFX files on older Windows Server systems is caused by using newer encryption algorithms for encrypting the password when exporting a certificate to PFX. Newer versions of tools and libraries for working with certificates, like OpenSSL, may implicitly use AES-256 for encrypting PFX files. However, older Windows Server systems may not support decryption with AES-256 and expect 3DES (Triple DES), which was the standard at the time these systems were released.
You Can Easily Solve the Problem by Using 3DES in PFX
To ensure compatibility of PFX files with these older systems, you need to explicitly choose encryption using 3DES when exporting the certificate. This ensures that the password encryption will be compatible with older Windows Server systems (using 3DES instead of AES-256).
If you are installing the certificate from PFX on Linux or a newer version of Windows Server (2016 and newer), no action is required with 3DES.
