Changing a CNG Certificate key to Legacy

This can be done with OpenSSL.   This same technique can be used to change Legacy Key Provider types. 

First we convert the current Certificate from a PFX file to a PEM file:

set RANDFILE=.\openssl.rnd
openssl pkcs12 -in idp.pfx -out idp.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Then we convert it back from a PEM file to a PFX file:

openssl pkcs12 -export -in idp.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
Loading 'screen' into random state - done 
Enter pass phrase for idp.pem: 
Enter Export Password: 
Verifying - Enter Export Password:

Note I am using the “Microsoft Enhanced RSA and AES Cryptographic Provider” as the target because the “Microsoft Strong Cryptographic Provider” has limitations in EAS and SHA256 support.

OpenSSL Documentation can be found here.


Leave a Comment