I am trying to install a certificate provided by mitmproxy.org via powershell and windows is not saving the certificate in the correct location.
Commands I tried to run:
Get-ChildItem -Path c:\mitmproxy-ca-cert.p12 | Import-PfxCertificate -CertStoreLocation cert:\LocalMachine\Root Instead of inserting a cert into Trusted Root Certification Authorities, it put it in Intermediate Certification Authorities.
Get-ChildItem -Path c:\mitmproxy-ca-cert.p12 | Import-PfxCertificate -CertStoreLocation cert:\CurrentUser\Root Did the same as the first command.
Even setting the working location to PS Cert:\localmachine\Root> did not manage to import into the Root location. Get-ChildItem -Path c:\mitmproxy-ca-cert.p12 | Import-PfxCertificate -CertStoreLocation .
There are no errors, all commands ran their course. I ran them with admin privileges.
Manually left-clicking on the mitmproxy-ca-cert.p12 however does start an import GUI that successfully imports it into the Root location. Why is the powershell not working tho?
Following mitmproxy.org own guide for command-line installation is of no use because it simply doesn't work:
How to install on Windows (Automated)
certutil.exe -importpfx Root mitmproxy-ca-cert.p12
C:\>certutil -importpfx Root mitmproxy-ca-cert.p12
Enter PFX password:
CertUtil: -importPFX command FAILED: 0x80092007 (-2146885625 CRYPT_E_SELF_SIGNED)
CertUtil: The specified certificate is self signed.
Can anyone shed some light what is going on here? Thank you.
I make a script for you, tell me if you don't understand.
$in_cert = "C:\Users\Marian\Desktop\Pfx Certificate.pfx";
$password = Read-Host -AsSecureString;
# Read the pfx certificate data:
$pfx = (Get-PfxData -FilePath $in_cert -Password $password -ErrorAction Stop);
# Get the root and publisher certificate:
$root = $pfx.OtherCertificates[0];
$publisher = $pfx.EndEntityCertificates[0];
# Add the root:
$rootStore = Get-Item "Cert:\CurrentUser\Root";
$rootStore.Open('ReadWrite');
$rootStore.add($root);
$rootStore.close();
# Add the publisher:
$rootStore = Get-Item "Cert:\CurrentUser\TrustedPublisher";
$rootStore.Open('ReadWrite');
$rootStore.add($publisher);
$rootStore.close();
Pause;
I posted to my post too: My Post
Related
I have configured a powershell script, which creates a vpn conection profile.
To make it work i need to add proper certificate.
Everything works fine when i add a certificate manually to local machine:
More detailed regarding importing certificate manualy:
Info
I'm trying to perform this task via powershell, but it doesn't work (script seems to work, but i am not sure to which stores should i copy certificate). In contrary to manual method - the certificate added by my powershell script is invisible for vpn connection.
#add certificate
$cert_name=$env:USERNAME+"#vpn.contoso.com.p12"
$cert_loc="\\ad\deploy\other\certs\"+$cert_name
$secure_pwd = ConvertTo-SecureString "contoso987%#" -AsPlainText -Force
Import-PfxCertificate -FilePath $cert_loc -CertStoreLocation Cert:\LocalMachine\My -Password $secure_pwd
# Add vpn connection
Add-VpnConnection -Name "Example VPNX" -ServerAddress "vpn.example.com" -AuthenticationMethod "MachineCertificate" -TunnelType "IKEv2" -EncryptionLevel "Maximum" -SplitTunneling $True
I would like to do it the same way the certificate import wizard does. Does anyone have experience in that ?
PS
I've changed addresses in codes etc.
Kind Regards,
Tamara
I've decided to post the solution. Although it is not developed in powershell it solves the problem completely. It is possible to import these kind of certificates from command prompt:
certutil -f -p Some_password -importpfx "\\ad\somepath\certificate.p12"
We use user certificates for authenticating to various services, but the certificates expire after a year unless renewed manually. I am attempting to create a logon script that will detect if the certificate is about to expire and renew it proactively.
The manual process we use currently is having the user log in, launching certmgr.msc, expanding Personal > Certificates, right-clicking the certificate, All Tasks > Renew Certificate with New Key (or Request New if it's already expired).
cd cert:\
$certs = Get-ChildItem -Recurse -ExpiringInDays 180 | Where subject -Like "*(foo)*"
if ($certs)
{
ForEach ($cert in $certs)
{
certreq -enroll -user -q -policyserver * $cert.thumbprint renew
}
}
I ran this successfully once, but I get the following error when I run the script:
Certificate Request Processor: The parameter is incorrect. 0x80070057
(WIN32: 87 ERROR_INVALID_PARAMATER)
I get the same result if enter garbage data or identify the certificate by serial number or thumbprint. The script is able to reliably find the certificate I want, but the certreq command is failing.
Any advice is greatly appreciated.
-cert parameter missing
Get-ChildItem cert:\ -Recurse -ExpiringInDays 180 | Where subject -Like "*(foo)*" | % {
certreq -enroll -user -q -policyserver * -cert $($_.thumbprint) renew
}
p12 file with 7 certificates in it.
Following the instruction that came along with the cert file, we have to use MMC and a password to import all certs into a personal store.Instruction also says to check mark private key exportable.
in order to automate this, I tried using certutil -importpfx but that only added 4 out of 7 certificates. I am unable to see other 3 certs. The diff i noticed is the imported certs are the ones with "ext issuing CA" and missing certs are with "issuing CA" in the Subject .
Any pointers please
I found an alternate solution using powershell instead of certutil .
Import-pfx with flag -exportable imported all the certs.
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Password $Securepwd -FilePath $findP12Cert.FullName -Exportable -Verbose
I am trying to export a certificate public and private key to a PFX file via a powershell script. I am currently using the following code
Get-ChildItem -Path Cert:\CurrentUser\My\$Thumbprint | Export-PfxCertificate -FilePath $OutputFile -Password $privateKeyPass -ChainOption EndEntityCertOnly
However, when I work with the resulting PFX file in something like certutil, it doesn't ask for a private key password. For example here is an example of what I get when i dump the cert with certutil:
> certutil -dump cert.pfx
Certificates: Not Encrypted
================ Certificate 0 ================
[cert data removed]
---------------- End Nesting Level 1 ----------------
Key Container = PfxContainer
Provider = PfxProvider
Encryption test FAILED
CertUtil: -dump command completed successfully.
If I use the certificates MMC snapin to export the cert I can select the "Enable certificate privacy" option and it will export an encrypted certificate.
My question is...
Is there a way to tell the export-pfxcertificate cmdlet to enable certificate privacy so that it is encypted? If not, what other solution do I have?
I have to sign remote scripts with a certificate from the remote machine from which I have a .pfx file.
I would like to automate the scripting by supplying the password to the Get-PfxCertificate programmatically.
So the question is:
Is it possible to somehow supply programmatically the required password to
Get-PfxCertificate?
$CertPath = "my.pfx"
$CertPass = "mypw"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPass)
Set-AuthenticodeSignature -Certificate $Cert -TimeStampServer http://timestamp.verisign.com/scripts/timstamp.dll -FilePath $OutputFilename
Make sure you have the proper permissions otherwise you won't be able to create an instance of the X509Certificate2 object.
I did a bit of checking around on this and couldn't find a clean way to provide the password programmatically. I suspect it is meant to be this way for security reasons. Either that or the PowerShell development team just blew it by not including a Credential parameter for this cmdlet. The only other option I can think of is to use someting like SendKeys to send the individual password character key presses to the PowerShell console at the right time via a background job (blech - just threw up in my mouth a little). :-)
Another way of doing this is by loading your certificate directly from your certificate store using PS Providers. Use Get-PSProviders to determine available PSProviders on your machine.
Once you have cert provider loaded, you can now get the certificate using Get-ChildItem
Launch certmgr.msc from run to launch the certificate store
Assuming that your certificate is stored under Personal folder in your cert store and has "Company Name" set in the subject property of the certificate, and there is only certificate in that folder with Company Name in the subject - you can get the certificate like so
$my_cert = Get-ChildItem cert:\CurrentUser\My | ? {$_.Subject -match "Company Name"}
$my_cert will be your certificate object that you can pass directly to Set-AuthenticodeSignature cmdlet
Set-AuthenticodeSignature -Certificate $my_cert -FilePath fqn_to_dll.dll -Timestampserver "http://timestampurl"
post signing, you can retrieve the sign status by querying on the Status property for "Valid" or not like
$result = Set-AuthenticodeSignature -Certificate $my_cert -FilePath fqn_to_dll.dll -Timestampserver "http://timestampurl" | Select Status
if(-Not ($result -eq "Valid")){
Write-Output "Error Signing file: Status: $($result.Status)"
}