I'm trying to export my certifcate as pfx. I'm doing that my certmgr.msc but some of the options are gray.
certmgr
So I wanted to use Powershell for this.
I'm going to the catalogue where the certificate is located (cert:\CurrentUser\My) and I'm inducing a syntax:
Export-PfxCertificate -Cert .\4BBB***************************** -FilePath 'C:\Users\jwozniak\Documents\outfile.pfx' -Password (ConvertTo-SecureString -String 'password63' -AsPlainText -Force)
(without * of course)
And I get an below error:
I'd appreciate some guidance.
When a certificate is created, You need to make private key has "Exportable".
Then only Export-PfxCertificate command works fine without errors.
Some of examples which may help you :
1)For creating self signed certificate by marking private key has Exportable
$cert = New-SelfSignedCertificate -DnsName $certname -certStorelocation cert:\localmachine\my -KeyLength 2048 -KeyFriendlyName $certname -FriendlyName $friendlyName -HashAlgorithm sha256 -Keyexportpolicy Exportable
Here parameter -Keyexportpolicy plays an important role for serving the purpose.
2)For Your question how to import certificate with option exportable private key ?
Follow the below command
Import-PfxCertificate -FilePath C:\Temp\$certname.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password $certpwd1 -Exportable
Here parameter -Exportable plays an important role for serving the purpose
A certificate (on windows) has export policies. You cannot get around that except using for instance https://github.com/gentilkiwi/mimikatz
Related
I have put my Powershell Script below. I am creating an HTTPS certificate ($httpsk) from a self-signed certificate ($ca). When I run the script, It fails on the "New-IISSiteBinding." Overall, this should be creating 2 certificates (check) and then using one of those certificates
$ca = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My `
-FriendlyName $Name -DnsName $Name `
-KeyusageProperty All -KeyUsage CertSign, CRLSign, DigitalSignature `
-KeyAlgorithm RSA -KeyLength 4096 -NotAfter (Get-Date).AddYears(20)
# Generate HTTPS certificate issued by the self-signed CA
$httpsk = New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My `
-FriendlyName "$FriendlyNameHTTPS" `
-DnsName $DnsNameHTTPS `
-KeyAlgorithm RSA -KeyLength 2048 -Signer $ca -NotAfter (Get-Date).AddYears(3)
Write-Warning "Generated a certificate which may be used for the HTTPS binding."
Export-Certificate -FilePath "C:\temp\certificate" -Cert $ca | Out-Null
$thumbprint = $httpsk.thumbprint
$websiteName = "Default Web Site"
New-IISSiteBinding -Name $websiteName -BindingInformation "*:443:$domainName" -CertificateThumbPrint $thumbprint -CertStoreLocation "cert:\LocalMachine\my" -Protocol "https"
The error I get is:
New-IISSiteBinding : The configuration object is read only, because it has been committed by a call to ServerManager.CommitChanges(). If
write access is required, use ServerManager to get a new reference.
At line:1 char:5
+ New-IISSiteBinding -Name $websiteName -BindingInformation "*:443" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-IISSiteBinding], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.IIS.Powershell.Commands.NewIISSiteBindingCommand
I looked around stack overflow, Microsoft, and several third party sites but cannot find anything on this. There was something similar that might be helpful for you to look at. It's with a slightly different problem and it was C# rather than a PowerShell script. Here is the link. What exactly is the problem and how do I fix it? I'm semi-new to IIS. What is it referring to when it says the "configuration object"? is that the certificate, the site, or the binding?
You can check whether your command format error is causing the problem according to this website.
This is for reference: New-IISSiteBinding
Apologies ahead of time if I don't get syntax correct. This is my first pass at certificate creation.
I am attempting to use Powershell to create a root certificate. I am using the following code:
$todaydt = Get-Date
$50years = $todaydt.AddYears(50)
$mypwd = ConvertTo-SecureString -String "*******" -Force -AsPlainText
$rootCert = New-SelfSignedCertificate -Subject 'CN=127.0.0.1' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -notafter $50years
Export-PfxCertificate -Cert $rootCert -FilePath c:\temp\my.pfx -Password $mypwd -ChainOption EndEntityCertOnly -NoProperties -Verbose
When I run it I get: Export-PfxCertificate: Cannot export non-exportable private key.
According to someone else in the same situation they found it to be essentially a permissions issue and solved it by:
"I checked the option "manage private keys" and you just get the
permissions to see - so I added my admin account...."
And then they were able to export. I am not sure what this means though? Anyone have an idea or another answer?
Thanks.
Using makecert.exe I can take a pvk file and generate a CRL using the following command:
makecert.exe -crl -n "CN=Foobar" -r -sv "Foobar.pvk" "Foobar.crl"
What is the equivalent Powershell command?
The following code uses Powershell to generate the PVK and CER files, but I can't figure out how to generate the CRL
$rootcert = New-SelfSignedCertificate -DnsName "CN=Foobar" -CertStoreLocation cert:\LocalMachine\My
$PFXPass = ConvertTo-SecureString -String "my password" -Force -AsPlainText
Export-PfxCertificate -Cert $('cert:\LocalMachine\My\' + $rootcert.Thumbprint) -Password $PFXPass -FilePath "Foobar.pvk"
Export-Certificate -Cert $('cert:\LocalMachine\My\' + $rootcert.Thumbprint) -FilePath "Foobar.cer"
Three things to consider:
makecert.exe tool is deprecated and no longer recommended for use: MakeCert.
CRL generation for self-signed certificates is useless and makes no sense. Revocation for self-signed certificates is undefined, because it leads to an egg and chicken problem. And they use explicit trust.
Manual CRL generation is an unmaintainable solution. You should use CA software to run your own CA and automate CA-specific routines.
I'm trying to sign a .ps1 using self-signed certificates (the use case is for scripts I write myself on my private dev station, so no need to use - or pay for -
a real CA). However, no matter how many guides on the topic of certificates generation and digital signatures I read, I can't seem to get it working.
Here's what I have accomplished so far:
# Create a certificate to use as trusted root of the signing chain
$root = New-SelfSignedCertificate `
-Subject "CN=PowerShell Trusted Authority" `
-FriendlyName "PowerShell Trusted Authority" `
-KeyUsageProperty Sign `
-KeyUsage CertSign, CRLSign, DigitalSignature `
-CertStoreLocation Cert:\LocalMachine\My\ `
-NotAfter (Get-Date).AddYears(10)
# Create a certificate to use for signing powershell scripts
New-SelfSignedCertificate `
-Signer $root `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($root.Thumbprint)" Cert:\LocalMachine\Root
All of the above done from an administrative powershell instance. After that is done, I can see both certificates, in the expected locations, in the management console, and the certificate path of the signing cert checks out as valid.
I then open a regular PS prompt and attempt to sign the script:
# Obtain a reference to the signing certificate
PS> $cert = Get-ChildItem Cert:\LocalMachine\My\ -CodeSigningCert
# Attempt at signing
PS> Set-AuthenticodeSignature .\Microsoft.PowerShell_profile.ps1 $cert
Directory: C:\Users\tomas\Documents\WindowsPowerShell
SignerCertificate Status Path
----------------- ------ ----
UnknownError Microsoft.PowerShell_profile.ps1
As you can see, the actual signing fails. Looking at the powershell file, I see that no signature has been appended to the script.
If I do the signing from an admin prompt, I seem to get a little further; a signature block is added to the script, and the thumbprint of the signing cert is printed in the output from Set-AuthenticodeSignature, but the status is still UnknownError and execution under the AllSigned policy is still not allowed.
# Output some info about the certificate:
PS> $cert | Format-List
Subject : CN=PowerShell Code Signing
Issuer : CN=PowerShell Trusted Authority
Thumbprint : <omitted>
FriendlyName :
NotBefore : 9/20/2017 10:48:59 PM
NotAfter : 9/20/2018 11:08:59 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
I've tried a multitude of variants of New-SelfSignedCertificate incantations, especially to generate the certificate for code signing, but always with the same status message (UnknownError).
My ultimate goal here is to be able to have Set-ExecutionPolicy AllSigned and still run scripts that I've created myself. What am I missing in this process to make that work?
Thinking about this, you don't need a certificate chain trust, therefore, you don't need your first certificate. You can use the second certificate and move it into your Trusted Root folder and it will work. Using the first certificate and then creating another certificate seems to fail because the 'root' is self signed and then can't sign another certificate.
SELF SIGNED CERTIFICATE method
# Create a certificate to use for signing powershell scripts
$selfsigncert = New-SelfSignedCertificate `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root
# Obtain a reference to the code signing cert in Trusted Root
$selfsignrootcert = "Cert:\LocalMachine\Root\$($selfsigncert.Thumbprint)"
# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $selfsignrootcert
If you have access to an Enterprise Root CA, you can use the method you have used in your question.
ENTERPRISE ROOT CA method (same method as you have in your question) - you need to know your Root CA certificate thumbprint
# Get Enterprise Root CA thumbprint
$rootcert = get-childitem Cert:\LocalMachine\Root\XXXXXXXXXXXX
# Generate certificate
$fromrootcert = New-SelfSignedCertificate `
-Signer $rootcert `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $fromrootcert
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Type CodeSigningCert -Subject "Code Signing"
Move-Item -Path $cert.PSPath -Destination "Cert:\CurrentUser\Root"
Set-AuthenticodeSignature -FilePath c:\go.ps1 -Certificate $cert
source
https://blogs.u2u.be/u2u/post/creating-a-self-signed-code-signing-certificate-from-powershell
when i try to create certificate, column master key and column encryption key using the below PS script its works fine in windows 10
Import-Module "SqlServer"
$serverName = "XXX"
$databaseName ="XX"
$connStr = "Server = " + $serverName + "; Database = " + $databaseName + "; Integrated Security=true"
$connection = New-Object Microsoft.SqlServer.Management.Common.ServerConnection
$connection.ConnectionString = $connStr
$connection.Connect()
$server = New-Object Microsoft.SqlServer.Management.Smo.Server($connection)
$database = $server.Databases[$databaseName]
$cert = New-SelfSignedCertificate -Subject "Cert" -CertStoreLocation Cert:LocalMachine\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
$cmkSettings = New-SqlCertificateStoreColumnMasterKeySettings -CertificateStoreLocation "LocalMachine" -Thumbprint $cert.Thumbprint
$cmkName = "CMK1"
New-SqlColumnMasterKey -Name $cmkName -InputObject $database -ColumnMasterKeySettings $cmkSettings
$cekName = "CEK1"
New-SqlColumnEncryptionKey -Name $cekName -InputObject $database -ColumnMasterKey $cmkName
but getting error in windows server 2012. if i remove the following:
-Subject, -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
and use -DNSName only then it just create column master key and throw error while create column encryption key.
someone please provide me correct syntax which works on Windows server 2012 and create certificate , column master key and column encryption key?
Please refer to Create a self-signed certificate using PowerShell section of this article.
To be used as Always encrypted CMKs, certificates require a specific configuration.
You should be able to create a certificate to be used as CMK using the following commands
New-SelfSignedCertificate is a Windows PowerShell cmdlet that creates a self-signed certificate. The below examples show how to generate a certificate that can be used as a column master key for Always Encrypted.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:CurrentUser\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
# To create a certificate in the local machine certificate store location you need to run the cmdlet as an administrator.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:LocalMachine\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
This should work with Server 2012, you will have to install makecert utility if it does not exist:
makecert.exe -n "CN=Always Encrypted Certificate - exported" -pe -sr CurrentUser -r -eku 1.3.6.1.5.5.8.2.2,1.3.6.1.4.1.311.10.3.11 -ss my -sky exchange -sp "Microsoft Strong Cryptographic Provider" -sy 1 -len 2048 -a sha256