Skip to Content

How to fix PKCS #12 operation failed for unknown reasons error when import certificate?

By: Author Alex Lim

Posted on  - Last updated:

Categories Troubleshooting

Problem Symptom

There is a client certificate for authentication on the web server with a key certificate in PKCS#12 (.pfx/.p12) format. When I try to import the PFX file to Firefox’s Certificate Manager or Thunderbird, it will ask me to insert the password that was used during the export.

When I try to import the PFX file to Firefox's Certificate Manager, it will ask me to insert the password that was used during the export.

Since there was no password set during export, I just click on the OK button without entering any password in the textbox. An error alert prompt to notify operation failed due to unknown reasons and does not import anything.

The detailed error message is as below:

The PKCS #12 operation failed for unknown reasons

Solved: How do I fix "The PKCS #12 operation failed for unknown reasons" error when import certificate

Solved: How do I fix "The PKCS #12 operation failed for unknown reasons" error when import certificate

I have to remove cert8.db and restart Firefox but still unable to resolve this error.

I try to import an X.509 certificate with the private key into Firefox using pk12util, from NSS-tools, and the error message I got as below:

$ pk12util -d /home/rst/.mozilla/firefox/2pj86lxs.Default\ User/ -i certificate.p12
Enter password for PKCS12 file:
pk12util: PKCS12 decode validate bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import. Error attempting to import private key.
$

Follow the below solution steps to resolve the “The PKCS #12 operation failed for unknown reasons” error issue.

Potential Causes

  • Password is entered incorrectly due to case-sensitive or additional whitespaces.
  • Bug in Firefox importing an RSA private key fails if p < q (cryptographic key factorization exponents).

Pre-check

  • Make sure you have entered the correct password when importing the certificate including correct capital or lowercase letters without additional whitespaces.
  • Update Firefox or Thunderbird to the latest version.

Solution 1: Generate a new certificate with a password

Firefox only accepts certificates that were exported with a password.

Solution 2: Decompose pkcs12 using OpenSSL

Step 1: Decompose pkcs12 into its component parts (key, certificate, and chain of parent certificates) in the pem format.

Step 2: Assembly them back into pkcs12 again with or without a password set.

Step 3: Perform certificate import using this new pfx.

Successfully restored your security certificate(s) and private key(s).

Below is the finding after comparing the pfx assembly from OpenSSL and the original certificate:

In the original pfx certificate, the key comes first, then a certificate, then a chain of two others.

Bag Attributes
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft Strong Cryptographic Provider
friendlyName: b5e965997cb800854f76219bf663da29_c6581fca-132f-4679-8904-98b50804597a
Key Attributes
X509v3 Key Usage: 10

In the OpenSSL version, the certificate comes first, then the other two, and at the very end the key:

Bag Attributes
localKeyID: E0 24 1C B0 6D 69 B6 FA E9 79 2B F5 24 C7 F5 4A 4B F2 37 4B
Key Attributes:

Note: For the Europe market, you may consider generating private keys and X509 certificates for Elliptic Curve Cryptography (ECC), refer to the example commands below:

# find your curve
openssl ecparam -list_curves

# generate a private key for a curve
openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem

# generate corresponding public key
openssl ec -in private-key.pem -pubout -out public-key.pem

# optional: create a self-signed certificate
openssl req -new -x509 -key private-key.pem -out cert.pem -days 360

# optional: convert pem to pfx
openssl pkcs12 -export -inkey private-key.pem -in cert.pem -out cert.pfx

Solution 3: Create a self-sign certificate using OpenSSL

Step 1: Generate another self-sign CSR certificate based on the private key:

openssl req -new -key filename.key -out filename.csr
openssl x509 -req -days 365 -in filename.csr -signkey filename.key -out self-signed.crt

Step 2: Combine private key and self-signed certificate into a single PKCS12 file:

openssl pkcs12 -export -inkey filename.key -in self-signed.crt -out self-signed.p12

Step 3: Import the self-signed certificate into Firefox, which included the private key.

Step 4: After collecting the CA code signing certificate then remove the self-signed certificate from Firefox.

Solution 4: Disable certdb

Note: This workaround is only applicable to the Tor browser.

Step 1: Open the Tor browser.

Step 2: Type about:config in the address bar to access the Advanced Preference menu.

Step 3: Click on the Accept the Risk and Continue button to proceed.

Type about:config in the address bar to access the Advanced Preference menu. Click on the Accept the Risk and Continue button to proceed.

Step 4: Type security.nocertdb in the search bar.

Step 5: Double-click on the security.nocertdb enry to switch the value to false.

Type security.nocertdb in the search bar. Double-click on the security.nocertdb enry to switch the value to false.

Step 6: Restart the Tor browser.