Published on 21.07.2025

Client side p12 certificates

Allegedly incorrect password on import

First of all: this is the english version of the Draeger Florix certificate article, because the underlying problem may also affect English-speaking users in the context of other software.

I had PKCS#12 certificate that some users (primarily on macOS, but also on one Windows user) couldn't import because it was supposedly the incorrect (but correct) password.

The reason is that the cryptographic algorithms used for generation are not compatible with the respective client. In all cases presented to me, the solution was the conversion/regeneration using the openssl -legacy flag:

Thanks to Bertrand Martin, who described the use of the Java keystore for converting the p12 certificates in two excellent Stack Overflow posts¹ as well as the use of the Legacy option² , which is summarized in the following one-liner:

keytool -J-Dkeystore.pkcs12.legacy -importkeystore -srckeystore ORIGINALCERTFILE.p12 -srcstoretype PKCS12 -srcstorepass:file FILEWITHPASSWORD.txt -destkeystore OUTPUTCERTFILE.p12 -deststoretype PKCS12 -deststorepass:file FILEWITHPASSWORD.txt -destkeypass:file FILEWITHPASSWORD.txt

  1. Bertrand Martin's Stack Overflow post regarding conversion using the Java keystore (originally for changing the password, but we are using it here for conversion).
  2. Bertrand Martin's (self-answered) Stack Overflow post regarding the use of the openssl legacy flag in the Java keystore.