p12 file with 7 certificates in it.
Following the instruction that came along with the cert file, we have to use MMC and a password to import all certs into a personal store.Instruction also says to check mark private key exportable.
in order to automate this, I tried using certutil -importpfx but that only added 4 out of 7 certificates. I am unable to see other 3 certs. The diff i noticed is the imported certs are the ones with "ext issuing CA" and missing certs are with "issuing CA" in the Subject .
Any pointers please
I found an alternate solution using powershell instead of certutil .
Import-pfx with flag -exportable imported all the certs.
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Password $Securepwd -FilePath $findP12Cert.FullName -Exportable -Verbose
Related
I have configured a powershell script, which creates a vpn conection profile.
To make it work i need to add proper certificate.
Everything works fine when i add a certificate manually to local machine:
More detailed regarding importing certificate manualy:
Info
I'm trying to perform this task via powershell, but it doesn't work (script seems to work, but i am not sure to which stores should i copy certificate). In contrary to manual method - the certificate added by my powershell script is invisible for vpn connection.
#add certificate
$cert_name=$env:USERNAME+"#vpn.contoso.com.p12"
$cert_loc="\\ad\deploy\other\certs\"+$cert_name
$secure_pwd = ConvertTo-SecureString "contoso987%#" -AsPlainText -Force
Import-PfxCertificate -FilePath $cert_loc -CertStoreLocation Cert:\LocalMachine\My -Password $secure_pwd
# Add vpn connection
Add-VpnConnection -Name "Example VPNX" -ServerAddress "vpn.example.com" -AuthenticationMethod "MachineCertificate" -TunnelType "IKEv2" -EncryptionLevel "Maximum" -SplitTunneling $True
I would like to do it the same way the certificate import wizard does. Does anyone have experience in that ?
PS
I've changed addresses in codes etc.
Kind Regards,
Tamara
I've decided to post the solution. Although it is not developed in powershell it solves the problem completely. It is possible to import these kind of certificates from command prompt:
certutil -f -p Some_password -importpfx "\\ad\somepath\certificate.p12"
I am generating self-signed .pfx certificates for a java application running on a couple of Windows servers. These certificates will be imported into their respective java keystores.
My question is: Can I generate a self-signed certificates for server2, server3 and server4 on server1? Is there anything in a certificate, apart from the dns name, that would bind it to the machine on which it was generated?
My concern is that if I generate the certificate for server2 on server1, the certificate will still be somehow bound to server 1 only.
I am using the following powershell script to generate the certificates:
$cert = New-SelfSignedCertificate -keyfriendlyname server1 -certstorelocation cert:\localmachine\my -dnsname server1.mydomain.com
Export-PfxCertificate -cert ‘cert:\localMachine\my\’ -FilePath C:\Certificates\server1.pfx -Password dummypassword
My idea was to simplify the process of generating the certificates by running the script on a single server and just altering the dnsname, alias and file name for each certificate.
You can generate a certificate on any machine for any machine, just set the common name correctly (certificate's CN field).
See parameter -Subject of the PowerShell command
Note that moving private keys around is a bad practice, you should instead generate the key-pair on the same machine that it is to be used by.
I have a .crt and .key file, from which I am creating a .pfx file using OpenSSL. I am trying to use PowerShell to import the .pfx file into Cert:\LocalMachine\My, then I'll use that certificate for OpenVPN. Using the following code, I am not getting any errors on the import:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.import("$env:TEMP\$site.pfx", $certPassword, "PersistKeySet")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine")
$store.open("MaxAllowed")
$store.add($cert)
$store.close()
I can see the cert in the MMC, but OpenVPN's log file shows:
error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Keyset does not exist
I have tried $certPassword as both a string and secure string. When I import the certificate via the GUI (copying the password from the content of $certPassword), OpenVPN starts normally.
I also tried this code but saw the same behavior:
Import-PfxCertificate -Password ($certPassword | ConvertTo-SecureString -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\My -FilePath $env:temp\$site.pfx
Finally, I am running the PowerShell session elevated.
What could I be doing wrong? Thanks.
Since you are adding the certificate to the LocalMachine\My store you probably want to import it with X509KeyStorageFlags.MachineKeySet
That might be
$cert.import("$env:TEMP\$site.pfx", $certPassword, "PersistKeySet | MachineKeySet")
but I don't actually know PowerShell, so I don't know the flags syntax.
The second possibility is that the PFX import saved the key under CNG but OpenVPN didn't use the "I know what CNG means" flag. You can make the import load the key in CAPI by specifying the CSP value when building the PFX with openssl
openssl pkcs12 -export ... -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
I try to import certificate in powershell as the following
Import-PfxCertificate -FilePath "$certFolder\$certFile" -CertStoreLocation Cert:\LocalMachine\Root -Password $securedPassword
The command run without any errors but the certificate is placed under Intermediate CAs with the information that CA root is not trusted.
When I import the same certificate manually with the option checked "Automatically select the certificate store..." it is placed properly under the Trusted CAs.
What do I miss while importing the certificate automatically?
I am trying to export a certificate public and private key to a PFX file via a powershell script. I am currently using the following code
Get-ChildItem -Path Cert:\CurrentUser\My\$Thumbprint | Export-PfxCertificate -FilePath $OutputFile -Password $privateKeyPass -ChainOption EndEntityCertOnly
However, when I work with the resulting PFX file in something like certutil, it doesn't ask for a private key password. For example here is an example of what I get when i dump the cert with certutil:
> certutil -dump cert.pfx
Certificates: Not Encrypted
================ Certificate 0 ================
[cert data removed]
---------------- End Nesting Level 1 ----------------
Key Container = PfxContainer
Provider = PfxProvider
Encryption test FAILED
CertUtil: -dump command completed successfully.
If I use the certificates MMC snapin to export the cert I can select the "Enable certificate privacy" option and it will export an encrypted certificate.
My question is...
Is there a way to tell the export-pfxcertificate cmdlet to enable certificate privacy so that it is encypted? If not, what other solution do I have?