You make the choice between "Strong" and "Legacy" PKCS#12 the moment you export the certificate from your windows system.
Consider the following scenario :
You obtain a certificate for use with your SSL VPN on the Check Point, either from one of the publicly trusted issuers (like DigiCert, VeriSign, GlobalSign, etc...) or from some other corporate/enterprise/internal PKI.
You import it into the Check Point, but are confronted with the 'the password you entered is incorrect' error.
As a solution, you can import this certificate into the certificate store of a Windows machine, and export it out again (making sure to export the private key as well) in a PKCS#12 format. At this point you can choose what type of encryption is used for the private key and the password used for this encryption. This is where you select 'legacy' encryption. (°)
Normally, this exported certificate can now be imported into the Check Point.
Importing and exporting certificates is done through the certificate manager (mmc plug-in 'Certificates'), and has no bearing whatsoever with Windows explorer and/or Edge browser.
(°) In my up to date Windows 11 machine, I see that these encryption options have been changed/renamed to 'TripleDES-SHA1' or 'AES256-SHA256'.