{"id":1541,"date":"2026-03-11T12:41:28","date_gmt":"2026-03-11T04:41:28","guid":{"rendered":"https:\/\/www.insecurewi.re\/?p=1541"},"modified":"2026-03-11T12:48:18","modified_gmt":"2026-03-11T04:48:18","slug":"converting-pkcs12-certificates-for-cisco-ios-xe-import","status":"publish","type":"post","link":"https:\/\/www.insecurewi.re\/index.php\/2026\/03\/11\/converting-pkcs12-certificates-for-cisco-ios-xe-import\/","title":{"rendered":"Converting PKCS12 Certificates for Cisco IOS-XE Import"},"content":{"rendered":"\n

If you’ve ever tried to import a .pfx<\/code> or .p12<\/code> certificate onto a Cisco IOS-XE platform like the Catalyst 8200 and been met with the dreaded PKCS #12 import failed<\/code> message, you’re not alone. The error output is unhelpfully vague \u2014 typically just “Unknown reason” \u2014 but the fix is straightforward once you understand what IOS-XE expects.<\/p>\n\n\n\n

This guide walks through diagnosing and resolving the two most common causes of PKCS12 import failure on IOS-XE: incompatible ciphers and missing CA chains.<\/p>\n\n\n\n

The Problem<\/h2>\n\n\n\n

You have a .pfx<\/code> or .p12<\/code> file \u2014 maybe exported from another device, maybe provided by your certificate authority or ISP \u2014 and you run the import:<\/p>\n\n\n\n

crypto pki import MY-TRUSTPOINT pkcs12 bootflash:mycert.p12 password mypassword<\/code><\/pre>\n\n\n\n
IOS-XE briefly creates the trustpoint and imports the key, then immediately deletes everything:<\/p>\n\n\n\n
%PKI-6-TRUSTPOINT_CREATE: Trustpoint: MY-TRUSTPOINT created succesfully\n%CRYPTO_ENGINE-5-KEY_ADDITION: A key named MY-TRUSTPOINT has been generated or imported\n%CRYPTO_ENGINE-5-KEY_DELETED: A key named MY-TRUSTPOINT has been removed from key storage\n%PKI-6-TRUSTPOINT_DELETE: Trustpoint: MY-TRUSTPOINT deleted succesfully\nCRYPTO_PKI: status = 65535: Imported PKCS12 file failure\n%PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: MY-TRUSTPOINT. Reason: Unknown reason<\/code><\/pre>\n\n\n\n
Not helpful. Let’s fix it.<\/p>\n\n\n\n
Step 1: Inspect the PFX<\/h2>\n\n\n\n
First, get the PFX onto a Linux box (or WSL) and take a look at what’s inside. You’ll need OpenSSL installed.<\/p>\n\n\n\n
Check the cipher and contents:<\/p>\n\n\n\n
bash<\/p>\n\n\n\n
openssl pkcs12 -in mycert.p12 -info -nokeys<\/code><\/pre>\n\n\n\n
You’re looking for two things in the output:<\/p>\n\n\n\n
Ciphers used<\/strong> \u2014 you want to see pbeWithSHA1And3-KeyTripleDES-CBC<\/code>. If you see AES-256-CBC or other modern ciphers, IOS-XE won’t accept it. Newer versions of OpenSSL (3.x+) default to these stronger ciphers when exporting, which is great for security but breaks compatibility with IOS-XE.<\/p>\n\n\n\n
CA certificates<\/strong> \u2014 you should see both your identity certificate and<\/em> at least one CA\/intermediate certificate in the output. If you only see a single certificate (your identity cert), the chain is incomplete and IOS-XE will reject the import.<\/p>\n\n\n\n
Step 2: Extract the Components<\/h2>\n\n\n\n
Pull the certificate, private key, and any existing CA certs out of the PFX:<\/p>\n\n\n\n
bash<\/p>\n\n\n\n
# Extract the identity certificate\nopenssl pkcs12 -in mycert.p12 -clcerts -nokeys -out cert.pem\n\n# Extract the private key\nopenssl pkcs12 -in mycert.p12 -nocerts -nodes -out key.pem<\/code><\/pre>\n\n\n\n
If you need to add the -legacy<\/code> flag on OpenSSL 3.x to read older PFX files:<\/p>\n\n\n\n
bash<\/p>\n\n\n\n
openssl pkcs12 -in mycert.p12 -clcerts -nokeys -out cert.pem -legacy\nopenssl pkcs12 -in mycert.p12 -nocerts -nodes -out key.pem -legacy<\/code><\/pre>\n\n\n\n
Step 3: Get the Intermediate CA Certificate<\/h2>\n\n\n\n
If your PFX was missing the CA chain, you’ll need to obtain the intermediate certificate from your CA. For example, if your cert was issued by DigiCert:<\/p>\n\n\n\n
bash<\/p>\n\n\n\n
wget https:\/\/cacerts.digicert.com\/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crt.pem<\/code><\/pre>\n\n\n\n
Check the issuer<\/code> field in your certificate to determine which intermediate you need:<\/p>\n\n\n\n
bash<\/p>\n\n\n\n
openssl x509 -in cert.pem -noout -issuer<\/code><\/pre>\n\n\n\n
Then download the appropriate intermediate from your CA’s repository.<\/p>\n\n\n\n
Step 4: Rebuild the PFX<\/h2>\n\n\n\n
This is the key step. Rebuild the PKCS12 file with IOS-XE compatible ciphers and the full certificate chain:<\/p>\n\n\n\n
bash<\/p>\n\n\n\n
openssl pkcs12 -export \\\n  -in cert.pem \\\n  -inkey key.pem \\\n  -certfile intermediate-ca.pem \\\n  -out mycert-iosxe.p12 \\\n  -descert \\\n  -certpbe PBE-SHA1-3DES \\\n  -keypbe PBE-SHA1-3DES \\\n  -macalg SHA1<\/code><\/pre>\n\n\n\n
Breaking down the important flags:<\/p>\n\n\n\n