If you’ve ever tried to import a .pfx or .p12 certificate onto a Cisco IOS-XE platform like the Catalyst 8200 and been met with the dreaded PKCS #12 import failed message, you’re not alone. The error output is unhelpfully vague — typically just “Unknown reason” — but the fix is straightforward once you understand what IOS-XE expects.

This guide walks through diagnosing and resolving the two most common causes of PKCS12 import failure on IOS-XE: incompatible ciphers and missing CA chains.

The Problem

You have a .pfx or .p12 file — maybe exported from another device, maybe provided by your certificate authority or ISP — and you run the import:

crypto pki import MY-TRUSTPOINT pkcs12 bootflash:mycert.p12 password mypassword

IOS-XE briefly creates the trustpoint and imports the key, then immediately deletes everything:

%PKI-6-TRUSTPOINT_CREATE: Trustpoint: MY-TRUSTPOINT created succesfully
%CRYPTO_ENGINE-5-KEY_ADDITION: A key named MY-TRUSTPOINT has been generated or imported
%CRYPTO_ENGINE-5-KEY_DELETED: A key named MY-TRUSTPOINT has been removed from key storage
%PKI-6-TRUSTPOINT_DELETE: Trustpoint: MY-TRUSTPOINT deleted succesfully
CRYPTO_PKI: status = 65535: Imported PKCS12 file failure
%PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: MY-TRUSTPOINT. Reason: Unknown reason

Not helpful. Let’s fix it.

Step 1: Inspect the PFX

First, get the PFX onto a Linux box (or WSL) and take a look at what’s inside. You’ll need OpenSSL installed.

Check the cipher and contents:

bash

openssl pkcs12 -in mycert.p12 -info -nokeys

You’re looking for two things in the output:

Ciphers used — you want to see pbeWithSHA1And3-KeyTripleDES-CBC. If you see AES-256-CBC or other modern ciphers, IOS-XE won’t accept it. Newer versions of OpenSSL (3.x+) default to these stronger ciphers when exporting, which is great for security but breaks compatibility with IOS-XE.

CA certificates — you should see both your identity certificate and at least one CA/intermediate certificate in the output. If you only see a single certificate (your identity cert), the chain is incomplete and IOS-XE will reject the import.

Step 2: Extract the Components

Pull the certificate, private key, and any existing CA certs out of the PFX:

bash

# Extract the identity certificate
openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out cert.pem

# Extract the private key
openssl pkcs12 -in mycert.p12 -nocerts -nodes -out key.pem

If you need to add the -legacy flag on OpenSSL 3.x to read older PFX files:

bash

openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out cert.pem -legacy
openssl pkcs12 -in mycert.p12 -nocerts -nodes -out key.pem -legacy

Step 3: Get the Intermediate CA Certificate

If your PFX was missing the CA chain, you’ll need to obtain the intermediate certificate from your CA. For example, if your cert was issued by DigiCert:

bash

wget https://cacerts.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem

Check the issuer field in your certificate to determine which intermediate you need:

bash

openssl x509 -in cert.pem -noout -issuer

Then download the appropriate intermediate from your CA’s repository.

Step 4: Rebuild the PFX

This is the key step. Rebuild the PKCS12 file with IOS-XE compatible ciphers and the full certificate chain:

bash

openssl pkcs12 -export \
  -in cert.pem \
  -inkey key.pem \
  -certfile intermediate-ca.pem \
  -out mycert-iosxe.p12 \
  -descert \
  -certpbe PBE-SHA1-3DES \
  -keypbe PBE-SHA1-3DES \
  -macalg SHA1

Breaking down the important flags:

  • -certfile includes the intermediate CA certificate in the bundle
  • -descert uses 3DES to encrypt the certificate portion
  • -certpbe PBE-SHA1-3DES sets the certificate encryption algorithm
  • -keypbe PBE-SHA1-3DES sets the private key encryption algorithm
  • -macalg SHA1 sets the MAC algorithm to SHA1

These settings produce a PFX that IOS-XE will happily accept.

Step 5: Import on IOS-XE

Copy the rebuilt PFX to your device’s bootflash (via SCP, TFTP, USB — whatever you have available) and import:

crypto pki import MY-TRUSTPOINT pkcs12 bootflash:mycert-iosxe.p12 password mypassword

This time you should see the trustpoint and key created without the subsequent deletion. Verify the import:

show crypto pki certificates MY-TRUSTPOINT

Confirm the subject, issuer, and expiry all look correct.

Quick Reference: One-Liner Conversion

If the original PFX already has the full chain and you just need to fix the ciphers, you can do it in two commands:

bash

openssl pkcs12 -in mycert.p12 -nodes -out temp.pem -legacy
openssl pkcs12 -export -in temp.pem -out mycert-iosxe.p12 \
  -descert -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg SHA1

Then clean up:

bash

rm temp.pem

Bonus: Verifying Key Pairs Match

If you’re migrating a certificate between devices and want to confirm the key in a PFX matches the key on an existing device, compare the RSA modulus.

On Linux:

bash

openssl pkcs12 -in mycert.p12 -nocerts -nodes | openssl rsa -modulus -noout | md5sum

On IOS-XE:

show crypto key mypubkey rsa MY-KEY-LABEL

Same modulus = same key pair.

Caveat: Microsoft Teams Direct Routing on CUBE

If you’re running CUBE with Microsoft Teams Direct Routing, there’s an additional gotcha to be aware of. Microsoft retired the Baltimore CyberTrust Root CA and moved to DigiCert Global Root G2 for their SIP interface certificates. This caused widespread TLS handshake failures on CUBE platforms — including the Catalyst 8200 and ISR 4300 series — often accompanied by CPU spikes and syslog messages like:

%SYS-3-CPUHOG: Task is running for (12913)msecs, more than (2000)msecs (2/2),process = CCSIP_TLS_HANDSHAKE
%SIP-2-TLS_HANDSHAKE_FAILED: TLS handshake failure - remote_addr=52.114.x.x, remote_port=xxxx

Even if you’ve already imported the new DigiCert Root G2 certificate, it may not take effect until you clear the existing trustpool. The fix documented in the Cisco Community thread:

no crypto pki trustpool policy
crypto pki trustpool import url http://www.cisco.com/security/pki/trs/ios.p7b

This clears and reimports the full CA bundle, allowing the new DigiCert root to be properly used for TLS validation against Microsoft’s SIP endpoints (sip.pstnhub.microsoft.com).

After reimporting the trustpool, verify your CUBE identity certificate, the Microsoft-facing trustpoints, and the sip-ua crypto signaling config all reference the correct trustpoints:

show crypto pki certificates
show crypto pki trustpool | include DigiCert
show running | section sip-ua

Keep an eye on Microsoft’s Direct Routing “What’s New” page — they periodically rotate root CAs and update TLS requirements for SBC connectivity.

Summary

IOS-XE PKCS12 import failures almost always come down to two things: modern ciphers that the platform doesn’t support, or a missing CA chain in the bundle. Rebuild the PFX with SHA1/3DES ciphers and include the full chain, and you’ll be importing cleanly every time.

This was tested on the Cisco Catalyst 8200 running IOS-XE 17.09.x, but the same approach applies to ISR 4000 series, CSR 1000v, Catalyst 8000 Edge, and other IOS-XE platforms.