diff --git a/Notation.Plugin.AzureKeyVault.Tests/Certificate/Pkcs12Tests.cs b/Notation.Plugin.AzureKeyVault.Tests/Certificate/Pkcs12Tests.cs
index cb361797..657793ca 100644
--- a/Notation.Plugin.AzureKeyVault.Tests/Certificate/Pkcs12Tests.cs
+++ b/Notation.Plugin.AzureKeyVault.Tests/Certificate/Pkcs12Tests.cs
@@ -7,6 +7,7 @@ namespace Notation.Plugin.AzureKeyVault.Certificate.Tests
 {
     public class Pkcs12Tests
     {
+        // MAC integrity mode is password(null) and saftContent confidential mode is password(null)
         [Fact]
         public void ReEncode()
         {
@@ -34,7 +35,8 @@ public void ReEncode_WithInvalidMac()
         }
 
         [Fact]
-        public void ReEncode_withoutMac(){
+        public void ReEncode_withoutMac()
+        {
             // read the pfx file
             byte[] data = File.ReadAllBytes(Path.Combine(Directory.GetCurrentDirectory(), "TestData", "cert_without_mac.pfx"));
             Pkcs12Info originPfx = Pkcs12Info.Decode(data, out _);
@@ -44,7 +46,21 @@ public void ReEncode_withoutMac(){
             byte[] newData = Pkcs12.ReEncode(data);
             Pkcs12Info pfxWithoutMac = Pkcs12Info.Decode(newData, out _);
             Assert.True(pfxWithoutMac.IntegrityMode == Pkcs12IntegrityMode.None);
+        }
+
+        // MAC integrity mode is password(null) and saftContent confidential mode is none
+        [Fact]
+        public void ReEncode_akv_imported()
+        {
+            // read the pfx file
+            byte[] data = File.ReadAllBytes(Path.Combine(Directory.GetCurrentDirectory(), "TestData", "akv_imported_cert.pfx"));
+            Pkcs12Info originPfx = Pkcs12Info.Decode(data, out _);
+            Assert.True(originPfx.IntegrityMode == Pkcs12IntegrityMode.Password);
 
+            // re-encode the pfx file
+            byte[] newData = Pkcs12.ReEncode(data);
+            Pkcs12Info pfxWithoutMac = Pkcs12Info.Decode(newData, out _);
+            Assert.True(pfxWithoutMac.IntegrityMode == Pkcs12IntegrityMode.None);
         }
     }
 }
diff --git a/Notation.Plugin.AzureKeyVault.Tests/TestData/akv_imported_cert.pfx b/Notation.Plugin.AzureKeyVault.Tests/TestData/akv_imported_cert.pfx
new file mode 100644
index 00000000..2631cc40
Binary files /dev/null and b/Notation.Plugin.AzureKeyVault.Tests/TestData/akv_imported_cert.pfx differ
diff --git a/Notation.Plugin.AzureKeyVault/Certificate/Pkcs12.cs b/Notation.Plugin.AzureKeyVault/Certificate/Pkcs12.cs
index a6cc07cc..f7e74f0d 100644
--- a/Notation.Plugin.AzureKeyVault/Certificate/Pkcs12.cs
+++ b/Notation.Plugin.AzureKeyVault/Certificate/Pkcs12.cs
@@ -31,7 +31,10 @@ public static byte[] ReEncode(byte[] data)
             foreach (var safeContent in pfx.AuthenticatedSafe)
             {
                 // decrypt with null password
-                safeContent.Decrypt((byte[]?)null);
+                if (safeContent.ConfidentialityMode == Pkcs12ConfidentialityMode.Password)
+                {
+                    safeContent.Decrypt((byte[]?)null);
+                }
 
                 // create a newSafeContent and only contains the certificate bag
                 var newSafeContent = new Pkcs12SafeContents();