0

I have a functioning wildcard certificate running on a Barracuda Load Balancer. From what I understand I can use that same certificate on other servers / appliances. The certificate is listed as exportable and, once I provide a password, I get a PKCS #12 file.

When I try to import that into IIS 10 Certificates > Import Wizard. I just get the error

The specified network password is not correct.

I read that this can be a result of using a weak password. I tried a couple of long and complex passwords but I end up with the same error.

I contacted Barracuda to see what they could do and they took my cert and password and converted it for me into another format containing "-----BEGIN PRIVATE KEY-----" and "-----BEGIN CERTIFICATE-----" sections. I don't know how that file was created exactly. When I import that I get the message that the

Certificate does not contain a private key

I read that this can be because of previous failed import attempts which was certainly the case for me. I needed to repair the cert. That ends in failure as well with an error from certutil

No key provider information
Cannot find the certificate and private key for decryption.

When I import the cert to the Personal Store and open it I do not see a message to tell me there is a private key associated which might explain previous error messages.

openssl pkcs12 -in c:\users\matt\Downloads\Wild.p12 -nocerts -out c:\temp\test\wild.key
openssl pkcs12 -in c:\users\matt\Downloads\Wild.p12 -clcerts -nokeys -out c:\temp\test\wild.crt

With a pair of valid file I tried to import again but that did not help.

I'm not sure what I need to do to get my PKCS #12 from my Load Balancer to successfully import into a IIS 10 instance.

Community
  • 1
Matt
  • 690
  • 6
  • 26
  • The only thing that comes to my mind is password issue. Make sure if keyboard layout is correct. Alternatively, try to import the PFX directly by double-clicking on a file. The rest of message starting with the line where you contacted Barracuda is incorrect and irrelevant. BTW, how PKCS#12 file is encoded? Is it in base64/PEM or pure binary format? What you see when you open the PFX in notepad? – Crypt32 Jan 23 '19 at 16:01
  • If the problem is related to the password that is protecting the PKCS#12 file, I would not think it would say "the specified NETWORK password is incorrect". So think about what network password might be involved. Credentials for running IIS? Credentials for storing the certificate in a Central Certificate Store? – Doug Deden Jan 23 '19 at 16:05
  • @Crypt32 _incorrect and irrelevant._ Only true once I know what the issue is. Right now I would rather provide more information than less. _how PKCS#12 file is encoded_ I am not super with that to be able to tell you. It appears encoded as it is not in a format like a .crt which is more human readable. I managed to make this work by taking wild.key and wild.crt and converting it to a pfx. Once that was done I got it to import in IIS just fine. I likely went a long route and am still testing to be sure what I did works. – Matt Jan 23 '19 at 16:06
  • @DougDeden I think the password being incorrect is misleading. I think the root of my issue is making sure my private key is part of what I try to import. Does not _appear_ to be a permissions issue outside of that. [It's my first day.](https://www.youtube.com/watch?v=9ZlOhSt_qW0) – Matt Jan 23 '19 at 16:09
  • when you open your original PFX in notepad, what you see? Can you provide just first line? – Crypt32 Jan 23 '19 at 16:12
  • @Crypt32 `3082 1201 0201 0330 8211 b706 092a 8648` – Matt Jan 23 '19 at 16:13
  • it is in notepad? – Crypt32 Jan 23 '19 at 16:13
  • That was from SublimeText. Notepad starts out like this 0‚0‚· There are boxes in there that are being stripped out by SF – Matt Jan 23 '19 at 16:14
  • Looks like the PFX is formatted properly (pure binary copy). Then it is just about the password. – Crypt32 Jan 23 '19 at 16:22
  • If I had the wrong password I should not have been able to convert the p12 to a crt/key correct? The way I got this to work was to convert it to crt/key and then to a pfx. once i did that the import worked. – Matt Jan 23 '19 at 16:24
  • If you found how to get it working, post your own answer and accept it. – Lex Li Jan 23 '19 at 17:57
  • @LexLi I am fine with self answering however I feel my solution might be a workaround and I cannot provide enough context on the issue to make it meaningful. Some people might not answer if there already is one. – Matt Jan 23 '19 at 19:00

1 Answers1

1

I had the same problem. The root cause was an unsupported by IIS encryption algorithm (AES-SHA256?) used to export the certificate with private key. After changing it to another one the import process in IIS worked like a charm.

mozgow
  • 11
  • 1