Import of Certificate Fails Due to Private Key
You can experience failures during the import of a certificate for various reasons related to the encryption of the private key from the certificate key pair.
Non-compliant implementation of the Password-based Key Derivation Function (PBKDF) algorithm used to encrypt the private key
The error, "The given PEM of the private key cannot be parsed," can occur when you try to import a private key because the private key was encrypted by an implementation of PBKDF that does not adhere to Federal Information Processing Standards (FIPS).
The Certificates service requires you to use a FIPS-compliant implementation of PBKDF to encrypt private keys. For a list of validated FIPS 140-1 and FIPS 140-2 cryptographic modules, see the FIPS 140-1 and FIPS 140-2 Vendor List.
Passphrase provided during encryption of the private key is too short
The error, "privateKeyPemPassphrase must be at least 14 characters (or 112 bits)," occurs when the passphrase string that you provided during encryption contains fewer than 14 characters.
When encrypting the private key, specify a passphrase that contains at least 14 characters (or 112 bits).
Salt used during hashing of the passphrase is too short
The error, "The given private key is not compliant with Federal Information Processing Standards (FIPS)," can occur when the salt used during the hashing of the passphrase is less than 128 bits (or 16 bytes).
The Certificates service requires that you use a salt that is 128 bits (or 16 bytes) or longer when hashing the passphrase. In the OpenSSL PBKDF implementation, the default length of salt is 64 bits (or 8 bytes). For this reason, the service often rejects private keys encrypted by OpenSSL (version 3.0 or later). To change the salt length to 128 bits in OpenSSL, you must change the default length of the salt in the PKCS8 tool.