Certificate Requirements for Connecting Vivi Devices to WPA2-Enterprise Networks
Last Updated: October 2025
Applies To: Vivi devices using SSL/TLS certificates imported from Windows Server environments
Problem Description
When importing SSL/TLS certificates into Vivi devices, administrators may encounter issues such as:
The Vivi device rejecting the uploaded certificate.
The certificate appearing invalid or failing to apply after upload.
This occurs because Vivi devices do not currently support certificates encrypted using PKCS#5 v2.0 (AES encryption), which is the default encryption format used by Windows Server when exporting certificates.
Cause
Windows Server (and most modern certificate export tools) use PKCS#5 v2.0, which leverages AES-based encryption for the private key.
However, Vivi devices are compatible with PKCS#5 v1.5, which uses 3DES/RC2 encryption algorithms.
As a result, any certificate exported using the default AES encryption format (v2.0) will not be recognized or accepted by Vivi devices.
Resolution
To ensure certificate compatibility, export or convert the certificate using PKCS#5 v1.5 encryption.
You can do this via Windows MMC or OpenSSL, as outlined below.
Option 1: Exporting with PKCS#5 v1.5 Using Windows MMC
If the Certificate Snap-In is not already enabled in Windows MMC, enable it first.
If it is already enabled and the certificate exists on the local machine, skip directly to Step B.
Step A: Enable Certificate Snap-In (if not already enabled)
Press Win + R, type
mmc, and press Enter.In the MMC console, go to File → Add/Remove Snap-in…
Select Certificates, click Add.
Choose My user account (or Computer account, if appropriate).
Expand Certificates → Personal → Certificates.
Right-click Certificates → All Tasks → Import.
Select your
.pfxfile → enter the password → tick Mark as exportable.Complete the import wizard. The certificate will now appear under Personal.
Step B: Export with PKCS#5 v1.5
In MMC, go to Certificates → Personal → Certificates.
Right-click your certificate → All Tasks → Export.
Select Yes, export the private key.
When prompted for encryption:
Choose TripleDES-SHA1 (instead of AES).
This enforces PKCS#5 v1.5 legacy encryption.
Save the exported file as a .pfx.
The resulting .pfx will be compatible with Vivi devices.
Option 2: Converting with OpenSSL
If the certificate has already been exported using PKCS#5 v2.0, it can be repackaged with OpenSSL.
Requirements:
OpenSSL installed on the local machine.
Access to the original exported
.pfxfile.
Steps:
# Extract certificate and private key
openssl pkcs12 -in certv2.pfx -out cert.pem -nodes
# Repackage with 3DES (PKCS#5 v1.5)
openssl pkcs12 -export -in cert.pem -out certv1_5.pfx -descert -des3
Explanation:
-des3→ Forces PKCS#5 v1.5 (legacy 3DES encryption).-descert→ Ensures the certificate encryption also uses legacy mode.
The resulting file certv1_5.pfx can now be imported into Vivi devices.
Verification: Checking the Certificate Format
To confirm whether a .pfx file uses PKCS#5 v1.5 or v2.0, run:
openssl pkcs12 -in exported.pfx -info -noout
Interpretation:
If you see:
pbeWithSHA1And3-KeyTripleDES-CBC→ ✅ PKCS#5 v1.5 (Legacy)If you see:
PBES2 with AES(e.g.pbeWithSHA256AndAES256-CBC) → ❌ PKCS#5 v2.0 (Unsupported)
Additional Notes
Certificates generated or exported using the TripleDES-SHA1 algorithm will remain compatible across both legacy and modern systems.
Always ensure the private key is marked as exportable during the import step in Windows MMC.
Future Enhancement
Support for PKCS#5 v2.0 (AES encryption) is planned for a future Vivi firmware update.
Once implemented, Vivi devices will accept PKCS#5 v2.0 certificates, eliminating the need for re-packaging.
A separate release note and Knowledge Hub article will be published when this enhancement becomes available.
Conclusion
Using either the Windows MMC export method or the OpenSSL conversion process ensures your certificates are correctly formatted with PKCS#5 v1.5 encryption, making them fully compatible with Vivi devices.