New-SelfSignedCertificate, TPM module and ECDSA_P384 - powershell

I am attempting to create a self signed certificate with PowerShell and protect the private key with a TPM 2.0 module.
I can create a cert backed by the TPM with :
New-SelfSignedCertificate -Provider "Microsoft Platform Crypto Provider" -Subject "CN=Test Cert" -CertStoreLocation "Cert:\LocalMachine\My"
I can cert with P384 with:
New-SelfSignedCertificate -Subject "CN=Test Cert" -KeyAlgorithm ECDSA_P384 -HashAlgorithm SHA384 -CurveExport CurveName -CertStoreLocation "Cert:\LocalMachine\My"
But combining the two fails with "Provider not defined":
New-SelfSignedCertificate -Provider "Microsoft Platform Crypto Provider" -Subject "CN=Test Cert" -KeyAlgorithm ECDSA_P384 -HashAlgorithm SHA384 -CurveExport CurveName -CertStoreLocation "Cert:\LocalMachine\My"
At this point I am unsure if this is a limitation of the MS provider, a limitation of the TPM module I have, or a result of the current configuration Windows 10 and therefore perhaps something I can address.
Can anyone offer any insight as to the root cause and perhaps a resolution?
Thanks

Related

How to set the authority key identifier using powershell New-SelfSignedCertificate

New-SelfSignedCertificate -Subject "CN=me.com, OU=ounit, O=company, L=state, C=country" -FriendlyName "me.com"
-HashAlgorithm SHA256 -KeyLength 4096 -KeyUsage DigitalSignature,KeyEncipherment
-NotAfter (Get-Date).AddDays(1024) -CertStoreLocation cert:\LocalMachine\My
-TextExtension #("2.5.29.19={text}CA=false") -KeyExportPolicy Exportable
I am working from the command above and trying to get this property set on the certificate :
I tried the following and got errors:
-TextExtension #("2.5.29.19={text}CA=false","2.5.29.35={2.5.29.14}")
I know that with a self signed certificate Authority Key Identifier KeyID will be assigned to the
Subject Key Identifier in a self signed certificate, but what is the correct way to go about doing
this. Microsoft's Documentation doesn't clearly state:
https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2022-ps
And I haven't been able to find any specific assignments through searching.

Powershell Create and Export Root Cert PFX

Apologies ahead of time if I don't get syntax correct. This is my first pass at certificate creation.
I am attempting to use Powershell to create a root certificate. I am using the following code:
$todaydt = Get-Date
$50years = $todaydt.AddYears(50)
$mypwd = ConvertTo-SecureString -String "*******" -Force -AsPlainText
$rootCert = New-SelfSignedCertificate -Subject 'CN=127.0.0.1' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -notafter $50years
Export-PfxCertificate -Cert $rootCert -FilePath c:\temp\my.pfx -Password $mypwd -ChainOption EndEntityCertOnly -NoProperties -Verbose
When I run it I get: Export-PfxCertificate: Cannot export non-exportable private key.
According to someone else in the same situation they found it to be essentially a permissions issue and solved it by:
"I checked the option "manage private keys" and you just get the
permissions to see - so I added my admin account...."
And then they were able to export. I am not sure what this means though? Anyone have an idea or another answer?
Thanks.

Export certificate as pfx

I'm trying to export my certifcate as pfx. I'm doing that my certmgr.msc but some of the options are gray.
certmgr
So I wanted to use Powershell for this.
I'm going to the catalogue where the certificate is located (cert:\CurrentUser\My) and I'm inducing a syntax:
Export-PfxCertificate -Cert .\4BBB***************************** -FilePath 'C:\Users\jwozniak\Documents\outfile.pfx' -Password (ConvertTo-SecureString -String 'password63' -AsPlainText -Force)
(without * of course)
And I get an below error:
I'd appreciate some guidance.
When a certificate is created, You need to make private key has "Exportable".
Then only Export-PfxCertificate command works fine without errors.
Some of examples which may help you :
1)For creating self signed certificate by marking private key has Exportable
$cert = New-SelfSignedCertificate -DnsName $certname -certStorelocation cert:\localmachine\my -KeyLength 2048 -KeyFriendlyName $certname -FriendlyName $friendlyName -HashAlgorithm sha256 -Keyexportpolicy Exportable
Here parameter -Keyexportpolicy plays an important role for serving the purpose.
2)For Your question how to import certificate with option exportable private key ?
Follow the below command
Import-PfxCertificate -FilePath C:\Temp\$certname.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password $certpwd1 -Exportable
Here parameter -Exportable plays an important role for serving the purpose
A certificate (on windows) has export policies. You cannot get around that except using for instance https://github.com/gentilkiwi/mimikatz

How can I create a self signed certificate?

I create a self signed certificate with powershell in my server.
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"
I go on mmc :
File -> Add or Remove Snap-ins -> Certificates -> Add -> Computer account -> Local computer
I expand the Personal folder and you see my localhost certificate
I copy and paste it into Trusted Root Certification Authorities - Certificates
After that I bind my application on IIS :
But I still have the error :
How can I resolve my issue ? Or maybe there an other free solution.
The following commands in PowerShell (run as admin) will do the trick:
1.- We create a new root trusted cert:
$rootCert = New-SelfSignedCertificate -Subject 'CN=TestRootCA,O=TestRootCA,OU=TestRootCA' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider'
2.- We create the cert from the root trusted cert chain:
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My" -Signer $rootCert -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -Provider "Microsoft Strong Cryptographic Provider" -HashAlgorithm "SHA256"
3.- We copy the thumbprint returned by the last command
4.- (If neccesary) We remove the last association ip/port/cert:
netsh http delete sslcert ipport=0.0.0.0:3002
5.- We associate the new certificate with any ip and your port, 3002 in your case (the appid value is any valid guid):
netsh http add sslcert ipport=0.0.0.0:3002 appid='{214124cd-d05b-4309-9af9-9caa44b2b74a}' certhash=here_the_copied_thumbprint
6.- Now, you must drag and drop the TestRootCA from Personal/Certificates folder to Trusted Root Certification Authorities/Certificates.
These commands also resolve the error ERR_CERT_WEAK_SIGNATURE_ALGORITHM returned later by Google Chrome because the certificate is created with SHA256 instead of SHA1
You should copy the certificate to both Personal and Trusted Root Authorities. To set up a self signed with Powershell for IIS the functions below should help you out.
Run the script as administrator - if you are on Windows 10 chances are that you must install module WebAdministration.
#Install-Module -Name 'WebAdministration'
Import-Module -Name WebAdministration
function AddSelfSignedCertificateToSSL([String]$dnsname, [String]$siteName='Default Web Site'){
$newCert = New-SelfSignedCertificate -DnsName $dnsname -CertStoreLocation Cert:\LocalMachine\My
$binding = Get-WebBinding -Name $siteName -Protocol "https"
$binding.AddSslCertificate($newCert.GetCertHashString(), "My")
$newCertThumbprint = $newCert.Thumbprint
$sourceCertificate = $('cert:\localmachine\my\' + $newCertThumbprint)
$store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "Root", LocalMachine
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
$store.Add($newCert)
return $newCertThumbprint
}
Write-Host Installing self-signed certificate Cert:\LocalMachine\My and Cert:\LocalMachine\Root ..
$certinstalledThumbprint = AddSelfSignedCertificateToSSL 'someacmeapp.somedomain.net'
Write-Host Added certificate $certinstalledThumbprint to Cert:\LocalMachine\My and Cert:\LocalMachine\Root and set this up as the SSL certificate on Default Web Site.
Note that modern browsers such as Chrome will complain about weak algorithms used in self signed algorithm and the fact that there is no third-party certificate authority such as GoDaddy et cetera that can confirm the validity certificate since it is self signed and has a weak algorithm.

Always Encrypted - create certificate error windows server 2012

when i try to create certificate, column master key and column encryption key using the below PS script its works fine in windows 10
Import-Module "SqlServer"
$serverName = "XXX"
$databaseName ="XX"
$connStr = "Server = " + $serverName + "; Database = " + $databaseName + "; Integrated Security=true"
$connection = New-Object Microsoft.SqlServer.Management.Common.ServerConnection
$connection.ConnectionString = $connStr
$connection.Connect()
$server = New-Object Microsoft.SqlServer.Management.Smo.Server($connection)
$database = $server.Databases[$databaseName]
$cert = New-SelfSignedCertificate -Subject "Cert" -CertStoreLocation Cert:LocalMachine\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
$cmkSettings = New-SqlCertificateStoreColumnMasterKeySettings -CertificateStoreLocation "LocalMachine" -Thumbprint $cert.Thumbprint
$cmkName = "CMK1"
New-SqlColumnMasterKey -Name $cmkName -InputObject $database -ColumnMasterKeySettings $cmkSettings
$cekName = "CEK1"
New-SqlColumnEncryptionKey -Name $cekName -InputObject $database -ColumnMasterKey $cmkName
but getting error in windows server 2012. if i remove the following:
-Subject, -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
and use -DNSName only then it just create column master key and throw error while create column encryption key.
someone please provide me correct syntax which works on Windows server 2012 and create certificate , column master key and column encryption key?
Please refer to Create a self-signed certificate using PowerShell section of this article.
To be used as Always encrypted CMKs, certificates require a specific configuration.
You should be able to create a certificate to be used as CMK using the following commands
New-SelfSignedCertificate is a Windows PowerShell cmdlet that creates a self-signed certificate. The below examples show how to generate a certificate that can be used as a column master key for Always Encrypted.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:CurrentUser\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
# To create a certificate in the local machine certificate store location you need to run the cmdlet as an administrator.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:LocalMachine\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
This should work with Server 2012, you will have to install makecert utility if it does not exist:
makecert.exe -n "CN=Always Encrypted Certificate - exported" -pe -sr CurrentUser -r -eku 1.3.6.1.5.5.8.2.2,1.3.6.1.4.1.311.10.3.11 -ss my -sky exchange -sp "Microsoft Strong Cryptographic Provider" -sy 1 -len 2048 -a sha256