I came across a problem where I needed to import a PFX file to Server 2012 servers, the certificate was generated on a newer server and the PFX was exported which is all good, then when I tried to import it like this:
The password entered was correct, but Windows was adamant it was incorrect which sounds like a encryption mismatch to me as AES256 is not fully supported on older versions of Windows which is interesting as on the new version you can export as AES256 or TripleDES-SHA1 as below:
This means on the newer OS you need to save this a PFX to a folder and in this instance I called it "newcert.pfx" these are the commands I ran the commands:
openssl pkcs12 -in newcert.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in newcert.pfx -nokeys -out cert.pem
This will leave you with two files key.pem and cert.pem in the folder, then run this command to enable the legacy encryption methodologies:
Legacy is defined as :
In the legacy mode, the default algorithm for certificate encryption is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled in the build. The default algorithm for private key encryption is 3DES_CBC. If the legacy option is not specified, then the legacy provider is not loaded and the default encryption algorithm for both certificates and private keys is AES_256_CBC with PBKDF2 for key derivation.
This will then produce a file called "importme.pfx" than you can then sucesfullyl import into Window Server 2012.