I noticed that starting in Windows Server 2019, and an unknown version of Windows 10 (I'm running 1903, and I tried on 1809 as well), when you export a certificate and choose to export it's private key as well, you have an option to choose the encryption method (it's a combobox just below the password and confirm password fields):
TripleDES-SHA1
AES256-SHA256
On Windows Server 2012 and Windows Server 2016, that option isn't present. When you try to import a certificate with a private key on WS2012 and WS2016 that was exported with the AES256-SHA256 encryption, when you enter the password, it'll throw you an error saying that the password is incorrect. HOWEVER, if you import a certificate with a private key that was exported with the TripleDES-SHA1 encryption it works.
Since Windows Server 2016 is based on Windows 10 v1607, and Windows Server 2019 is based on Windows 10 v1809, that option must have been added between these versions, so:
1703
1709
1803
Does anyone knows when was this option added? And is there a way to make Windows Server 2012 and 2016 import certificates with a private key that was encrypted using AES256-SHA256?
Thank you,
PS: The certificate is a .pfx file that can be imported through the Certificate Import Wizard.
Edit: Here's a screenshot of the option.
Best Answer
Alright so according to this issue on the PowerShell GitHub, these options might have been added somewhere around Windows 10 v1709. So Windows Server 2016 v1709 and Windows 10 v1709 supports the AES256-SHA256 encryption type.
https://github.com/PowerShell/CertificateDsc/issues/153#issuecomment-413766692