I try to import certificate in powershell as the following
Import-PfxCertificate -FilePath "$certFolder\$certFile" -CertStoreLocation Cert:\LocalMachine\Root -Password $securedPassword
The command run without any errors but the certificate is placed under Intermediate CAs with the information that CA root is not trusted.
When I import the same certificate manually with the option checked "Automatically select the certificate store..." it is placed properly under the Trusted CAs.
What do I miss while importing the certificate automatically?
Related
The command I'm using that is working perfectly for the "Trusted Root Certification Authorities\Certificates is:
$file = (Get-Childitem -Path "D:/Root CA 2.cer")
$file = Import-Certificate -CertStoreLocation cert:\LocalMachine\Root
When it comes to the 6 different certs that need to be imported to the "Trusted Root Certification Authorities" this command works perfectly. Root CA 2, 3, 4, 5, and the two different ECA Root's 2 and 4 all are placed in their location. However, when it comes to the CCEB Interoperability cert, this command also places it in the "Trusted Root Certification Authorities". The CCEB Cert is supposed to be located in the "Untrusted Certificates" location. What confuses me most is that when you use the MMC console and right click import and choose this file, it automatically knows that it's supposed to be in the "Untrusted" location. I thought that the Powershell command would produce the same result, but it doesn't. It keeps placing it in the wrong location. I'm brand new to Powershell and can't find any discussion on this topic. Please help and thank you in advance.
Powershell can use cert:\ paths to browse the certificate store like a file system. Check out the about_Certificate_provider page for more details. Each cert store's name is a little different from what you see in the MMC though.
cert:\LocalMachine\Root is the "Trusted Root Certification Authorities" store, so any certificates you import are placed there when you specify -CertStoreLocation that way
"Untrusted Certificates" is named Disallowed, so you can import like so:
Get-Item "D:\folder\BadCerts.sst" |
Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Disallowed"
Powershell can't easily display the certificate trust list (CTL) in the untrusted certs store, but can import just fine
I make my own certificate with signTool like
powershell.exe New-SelfSignedCertificate -DnsName "www.mydns.me" -Type CodeSigning -NotBefore 27.10.2021 -NotAfter 27.10.2024 -CertStoreLocation "cert:\CurrentUser\My"
The certificate is availabe in certificate manager
I signed my file with
signtool sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /a myfile.exe
I want to show certificates on the file with
signtool verify /pa myfile.exe
but it gave the source is not trusted
SignTool Error: A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Why is certificate not trusted when the option is /pa and is available in my certificate center.
The self signed certificate is self-signed and stored in your current user certificate Personal store.
This is not because you have the certificate that you trust it or the computer trust it.
You must import a copy of this certificate in the Trusted Root Certification Authorities. You can import it in the user store or computer store (any user on the local machine would trust your self signed certificate).
Use by example Import-Certificate -CertStoreLocation Cert:\CurrentUser\Root -FilePath C:\cert.cer. Only the public key must be imported in the Trusted Root Certification Authorities store and not the private key.
I don't know for the /pa option. Try without any option.
How To Generate A Self Signed Certificate Signed By An Root Certificate using New-SelfSignedCertificate, I Have A Root Certificate I Just Want to Know How To Use -Signer.
You already figured out that you need to use the -Signer parameter. Just ensure that you have the private key for the certificate you want to use to sign the new certificate. So basically you can only use certificates from the Personal store ("My" in PowerShell).
Example:
# find a suitable certificate to use as root
ls Cert:\CurrentUser\My\
$root = ls Cert:\CurrentUser\My\c123a6f16a5f165161a1... # use the thumbprint of one of your certificates
# create a certificate which is signed with your chosen root certificate
New-SelfSignedCertificate -DnsName test.local -Signer $root -CertStoreLocation Cert:\CurrentUser\My\
I am generating self-signed .pfx certificates for a java application running on a couple of Windows servers. These certificates will be imported into their respective java keystores.
My question is: Can I generate a self-signed certificates for server2, server3 and server4 on server1? Is there anything in a certificate, apart from the dns name, that would bind it to the machine on which it was generated?
My concern is that if I generate the certificate for server2 on server1, the certificate will still be somehow bound to server 1 only.
I am using the following powershell script to generate the certificates:
$cert = New-SelfSignedCertificate -keyfriendlyname server1 -certstorelocation cert:\localmachine\my -dnsname server1.mydomain.com
Export-PfxCertificate -cert ‘cert:\localMachine\my\’ -FilePath C:\Certificates\server1.pfx -Password dummypassword
My idea was to simplify the process of generating the certificates by running the script on a single server and just altering the dnsname, alias and file name for each certificate.
You can generate a certificate on any machine for any machine, just set the common name correctly (certificate's CN field).
See parameter -Subject of the PowerShell command
Note that moving private keys around is a bad practice, you should instead generate the key-pair on the same machine that it is to be used by.
p12 file with 7 certificates in it.
Following the instruction that came along with the cert file, we have to use MMC and a password to import all certs into a personal store.Instruction also says to check mark private key exportable.
in order to automate this, I tried using certutil -importpfx but that only added 4 out of 7 certificates. I am unable to see other 3 certs. The diff i noticed is the imported certs are the ones with "ext issuing CA" and missing certs are with "issuing CA" in the Subject .
Any pointers please
I found an alternate solution using powershell instead of certutil .
Import-pfx with flag -exportable imported all the certs.
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Password $Securepwd -FilePath $findP12Cert.FullName -Exportable -Verbose