Hello,
We are using R80.40. We are carrying this certificate renewal activity every year following the same steps but facing such issue for the first time. We are trying to replace the existing P12 certificate with a new one from Cluster Properties --> Mobile Access -->  Portal Settings. The password is of the P12 certificate. 

Check your version of OpenSSL. Gaia still uses 1.1.1, even in R82 systems.

R80.40 is out of support, you should also probably obfuscate screenshots.

Okay...and if I understood right, this is first time its failing? Same password worked fine before?

The existing certificate is going to expire shortly and is due for renewal. We are attempting to renew with a new P12 certificate. When we are entering the password of the certificate, it is showing to be incorrect. However, the same certificate when installed locally is working fine with the same password. 

FWIW, here are steps AI gives...

Andy

***************

✅ 1. Encoding or Format Issues with the Password

• Problem: Sometimes, when copying and pasting the password into a script or form (especially from a rich-text document or email), hidden characters (like whitespaces, line breaks, or non-printable characters) get included.

• Fix:

  • Manually type the password instead of pasting it.

  • Ensure there are no leading/trailing spaces.

  • Check if the environment expects the password in a specific encoding (e.g. UTF-8).

✅ 2. Password Length or Special Characters Not Supported

• Problem: Some systems or libraries may not handle complex passwords (e.g., special characters like !, @, $, etc.) properly.

• Fix:

  • Try using a simpler password (temporarily) to test if the system accepts it.

  • Escape special characters if the password is passed via CLI or in config files.

✅ 3. Corrupted or Misconverted P12 File

• Problem: The P12 file may be corrupted during transfer or re-exported with incompatible settings.

• Fix:

  • Re-export the .p12 file from your certificate manager (e.g., Keychain Access, OpenSSL, or your CA).

  • Use OpenSSL to verify the .p12:

     

    openssl pkcs12 -info -in yourcert.p12

    If the password works here, the file is fine.

✅ 4. Mismatched Certificate Keystore Type

• Problem: Some systems expect a specific keystore format or type.

• Fix:

  • If you're importing into Java-based systems (like Tomcat or Spring Boot), try converting .p12 to .jks using:

     

    keytool -importkeystore -srckeystore yourcert.p12 -srcstoretype pkcs12 -destkeystore yourcert.jks -deststoretype JKS

✅ 5. Environment Path or Permissions Issue

• Problem: The system accessing the .p12 may not have permission to read it or may be reading a different file (e.g., an older version).

• Fix:

  • Double-check the path to the certificate.

  • Ensure the correct file is being referenced.

  • Check permissions of the .p12 file:

     

    ls -l yourcert.p12

✅ 6. Framework/Library-Specific Bug or Quirk

• Problem: Some frameworks (e.g., Java, .NET, Node.js) might require specific parameters when loading .p12 files.

• Fix:

  • Look for debug logs to see how the error is reported.

  • If using a framework, confirm whether it expects:

    • Certificate alias

    • Specific trust settings

    • Only .pem or .crt + .key formats

✅ 7. Certificate Works Locally Because of Cached or Keychain-Stored Credentials

• Problem: When installing locally (e.g., in macOS Keychain), it might be accepting saved credentials without prompting.

• Fix:

  • Confirm password actually works by importing the .p12 on a clean system or using openssl

Thats what kind of threw me off as well...never seen password needed for that sort of cert renewal.

Andy

Excellent!