Always Encrypted - create certificate error windows server 2012 - powershell

when i try to create certificate, column master key and column encryption key using the below PS script its works fine in windows 10
Import-Module "SqlServer"
$serverName = "XXX"
$databaseName ="XX"
$connStr = "Server = " + $serverName + "; Database = " + $databaseName + "; Integrated Security=true"
$connection = New-Object Microsoft.SqlServer.Management.Common.ServerConnection
$connection.ConnectionString = $connStr
$connection.Connect()
$server = New-Object Microsoft.SqlServer.Management.Smo.Server($connection)
$database = $server.Databases[$databaseName]
$cert = New-SelfSignedCertificate -Subject "Cert" -CertStoreLocation Cert:LocalMachine\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
$cmkSettings = New-SqlCertificateStoreColumnMasterKeySettings -CertificateStoreLocation "LocalMachine" -Thumbprint $cert.Thumbprint
$cmkName = "CMK1"
New-SqlColumnMasterKey -Name $cmkName -InputObject $database -ColumnMasterKeySettings $cmkSettings
$cekName = "CEK1"
New-SqlColumnEncryptionKey -Name $cekName -InputObject $database -ColumnMasterKey $cmkName
but getting error in windows server 2012. if i remove the following:
-Subject, -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
and use -DNSName only then it just create column master key and throw error while create column encryption key.
someone please provide me correct syntax which works on Windows server 2012 and create certificate , column master key and column encryption key?

Please refer to Create a self-signed certificate using PowerShell section of this article.
To be used as Always encrypted CMKs, certificates require a specific configuration.
You should be able to create a certificate to be used as CMK using the following commands
New-SelfSignedCertificate is a Windows PowerShell cmdlet that creates a self-signed certificate. The below examples show how to generate a certificate that can be used as a column master key for Always Encrypted.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:CurrentUser\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
# To create a certificate in the local machine certificate store location you need to run the cmdlet as an administrator.
$cert = New-SelfSignedCertificate -Subject "AlwaysEncryptedCert" -CertStoreLocation Cert:LocalMachine\My -KeyExportPolicy Exportable -Type DocumentEncryptionCert -KeyUsage KeyEncipherment -KeySpec KeyExchange -KeyLength 2048
This should work with Server 2012, you will have to install makecert utility if it does not exist:
makecert.exe -n "CN=Always Encrypted Certificate - exported" -pe -sr CurrentUser -r -eku 1.3.6.1.5.5.8.2.2,1.3.6.1.4.1.311.10.3.11 -ss my -sky exchange -sp "Microsoft Strong Cryptographic Provider" -sy 1 -len 2048 -a sha256

Related

New-SelfSignedCertificate, TPM module and ECDSA_P384

I am attempting to create a self signed certificate with PowerShell and protect the private key with a TPM 2.0 module.
I can create a cert backed by the TPM with :
New-SelfSignedCertificate -Provider "Microsoft Platform Crypto Provider" -Subject "CN=Test Cert" -CertStoreLocation "Cert:\LocalMachine\My"
I can cert with P384 with:
New-SelfSignedCertificate -Subject "CN=Test Cert" -KeyAlgorithm ECDSA_P384 -HashAlgorithm SHA384 -CurveExport CurveName -CertStoreLocation "Cert:\LocalMachine\My"
But combining the two fails with "Provider not defined":
New-SelfSignedCertificate -Provider "Microsoft Platform Crypto Provider" -Subject "CN=Test Cert" -KeyAlgorithm ECDSA_P384 -HashAlgorithm SHA384 -CurveExport CurveName -CertStoreLocation "Cert:\LocalMachine\My"
At this point I am unsure if this is a limitation of the MS provider, a limitation of the TPM module I have, or a result of the current configuration Windows 10 and therefore perhaps something I can address.
Can anyone offer any insight as to the root cause and perhaps a resolution?
Thanks

Powershell Create and Export Root Cert PFX

Apologies ahead of time if I don't get syntax correct. This is my first pass at certificate creation.
I am attempting to use Powershell to create a root certificate. I am using the following code:
$todaydt = Get-Date
$50years = $todaydt.AddYears(50)
$mypwd = ConvertTo-SecureString -String "*******" -Force -AsPlainText
$rootCert = New-SelfSignedCertificate -Subject 'CN=127.0.0.1' -KeyExportPolicy Exportable -KeyUsage CertSign,CRLSign,DigitalSignature -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -notafter $50years
Export-PfxCertificate -Cert $rootCert -FilePath c:\temp\my.pfx -Password $mypwd -ChainOption EndEntityCertOnly -NoProperties -Verbose
When I run it I get: Export-PfxCertificate: Cannot export non-exportable private key.
According to someone else in the same situation they found it to be essentially a permissions issue and solved it by:
"I checked the option "manage private keys" and you just get the
permissions to see - so I added my admin account...."
And then they were able to export. I am not sure what this means though? Anyone have an idea or another answer?
Thanks.

Export certificate as pfx

I'm trying to export my certifcate as pfx. I'm doing that my certmgr.msc but some of the options are gray.
certmgr
So I wanted to use Powershell for this.
I'm going to the catalogue where the certificate is located (cert:\CurrentUser\My) and I'm inducing a syntax:
Export-PfxCertificate -Cert .\4BBB***************************** -FilePath 'C:\Users\jwozniak\Documents\outfile.pfx' -Password (ConvertTo-SecureString -String 'password63' -AsPlainText -Force)
(without * of course)
And I get an below error:
I'd appreciate some guidance.
When a certificate is created, You need to make private key has "Exportable".
Then only Export-PfxCertificate command works fine without errors.
Some of examples which may help you :
1)For creating self signed certificate by marking private key has Exportable
$cert = New-SelfSignedCertificate -DnsName $certname -certStorelocation cert:\localmachine\my -KeyLength 2048 -KeyFriendlyName $certname -FriendlyName $friendlyName -HashAlgorithm sha256 -Keyexportpolicy Exportable
Here parameter -Keyexportpolicy plays an important role for serving the purpose.
2)For Your question how to import certificate with option exportable private key ?
Follow the below command
Import-PfxCertificate -FilePath C:\Temp\$certname.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password $certpwd1 -Exportable
Here parameter -Exportable plays an important role for serving the purpose
A certificate (on windows) has export policies. You cannot get around that except using for instance https://github.com/gentilkiwi/mimikatz

Invalid provider type specified. CryptographicException

I am trying to run the script GetAppConfigSettings.ps1 from Microsoft docs help setting up a Key Vault
The script contains the following
# **********************************************************************************************
# Prep the cert credential data
# **********************************************************************************************
$certificateName = "$applicationName" + "cert"
$myCertThumbprint = (New-SelfSignedCertificate -Type Custom -Subject "$certificateName"-KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Provider "Microsoft Enhanced Cryptographic Provider v1.0" ).Thumbprint
$x509 = (Get-ChildItem -Path cert:\CurrentUser\My\$myCertthumbprint)
$password = Read-Host -Prompt "Please enter the certificate password." -AsSecureString
# Saving the self-signed cert and pfx (private key) in case it's needed later
Export-Certificate -cert $x509 -FilePath ".\$certificateName.cer"
Export-PfxCertificate -Cert $x509 -FilePath ".\$certificateName.pfx" -Password $password
Running the script ( after setting the variables) produces the following error
New-SelfSignedCertificate : CertEnroll::CX509Enrollment::_CreateRequest: Provider type not defined.
0x80090017 (-2146893801 NTE_PROV_TYPE_NOT_DEF)
At \\tsclient\E\EShared\Dev\Microsoft.Azure.KeyVault.Samples-2016.11.22
(1)\Microsoft.Azure.KeyVault.Samples\scripts\GetAppConfigSettings.ps1:38 char:22
+ ... umbprint = (New-SelfSignedCertificate -Type Custom -Subject "$certifi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-SelfSignedCertificate], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.CertificateServices.Commands.NewSelfSignedC
ertificateCommand
[Update]
Microsoft Support advised me to change the provider to "Microsoft Platform Crypto Provider"
However I still get the error.
For Powershell, $PSVersionTable reports 5.1.17134.112
I have Version 5.7.0 of AzureRM installed
Microsoft support helped me out with this line
$myCertThumbprint = (New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My
-subject MyCert -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(10)
-Type CodeSigningCert -KeySpec Signature).Thumbprint
The AuthClientId and AuthCertThumbprint values I need for the HelloKeyVault app.config are created.
The AuthClientId displays in the portal as the Application ID and is vissible in the Registered app settings.
To get to it click Azure Active Directory -> App registrations
Then click View all applications
click on the application then settings
To see the Thumbprint doe the same and then click Keys
I can see AuthClientId
Please use this sample to learn how to use Key Vault with DotNet and authenticate to Azure Active Directory with a Service Principal's Certificate
https://github.com/Azure-Samples/key-vault-dotnet-quickstart

Signing a PowerShell script with self-signed certificates (and without makecert.exe)

I'm trying to sign a .ps1 using self-signed certificates (the use case is for scripts I write myself on my private dev station, so no need to use - or pay for -
a real CA). However, no matter how many guides on the topic of certificates generation and digital signatures I read, I can't seem to get it working.
Here's what I have accomplished so far:
# Create a certificate to use as trusted root of the signing chain
$root = New-SelfSignedCertificate `
-Subject "CN=PowerShell Trusted Authority" `
-FriendlyName "PowerShell Trusted Authority" `
-KeyUsageProperty Sign `
-KeyUsage CertSign, CRLSign, DigitalSignature `
-CertStoreLocation Cert:\LocalMachine\My\ `
-NotAfter (Get-Date).AddYears(10)
# Create a certificate to use for signing powershell scripts
New-SelfSignedCertificate `
-Signer $root `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($root.Thumbprint)" Cert:\LocalMachine\Root
All of the above done from an administrative powershell instance. After that is done, I can see both certificates, in the expected locations, in the management console, and the certificate path of the signing cert checks out as valid.
I then open a regular PS prompt and attempt to sign the script:
# Obtain a reference to the signing certificate
PS> $cert = Get-ChildItem Cert:\LocalMachine\My\ -CodeSigningCert
# Attempt at signing
PS> Set-AuthenticodeSignature .\Microsoft.PowerShell_profile.ps1 $cert
Directory: C:\Users\tomas\Documents\WindowsPowerShell
SignerCertificate Status Path
----------------- ------ ----
UnknownError Microsoft.PowerShell_profile.ps1
As you can see, the actual signing fails. Looking at the powershell file, I see that no signature has been appended to the script.
If I do the signing from an admin prompt, I seem to get a little further; a signature block is added to the script, and the thumbprint of the signing cert is printed in the output from Set-AuthenticodeSignature, but the status is still UnknownError and execution under the AllSigned policy is still not allowed.
# Output some info about the certificate:
PS> $cert | Format-List
Subject : CN=PowerShell Code Signing
Issuer : CN=PowerShell Trusted Authority
Thumbprint : <omitted>
FriendlyName :
NotBefore : 9/20/2017 10:48:59 PM
NotAfter : 9/20/2018 11:08:59 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
I've tried a multitude of variants of New-SelfSignedCertificate incantations, especially to generate the certificate for code signing, but always with the same status message (UnknownError).
My ultimate goal here is to be able to have Set-ExecutionPolicy AllSigned and still run scripts that I've created myself. What am I missing in this process to make that work?
Thinking about this, you don't need a certificate chain trust, therefore, you don't need your first certificate. You can use the second certificate and move it into your Trusted Root folder and it will work. Using the first certificate and then creating another certificate seems to fail because the 'root' is self signed and then can't sign another certificate.
SELF SIGNED CERTIFICATE method
# Create a certificate to use for signing powershell scripts
$selfsigncert = New-SelfSignedCertificate `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Move the root cert into Trusted Root CAs
Move-Item "Cert:\LocalMachine\My\$($selfsigncert.Thumbprint)" Cert:\LocalMachine\Root
# Obtain a reference to the code signing cert in Trusted Root
$selfsignrootcert = "Cert:\LocalMachine\Root\$($selfsigncert.Thumbprint)"
# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $selfsignrootcert
If you have access to an Enterprise Root CA, you can use the method you have used in your question.
ENTERPRISE ROOT CA method (same method as you have in your question) - you need to know your Root CA certificate thumbprint
# Get Enterprise Root CA thumbprint
$rootcert = get-childitem Cert:\LocalMachine\Root\XXXXXXXXXXXX
# Generate certificate
$fromrootcert = New-SelfSignedCertificate `
-Signer $rootcert `
-Subject "CN=PowerShell Code Signing" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-Type CodeSigningCert `
-CertStoreLocation Cert:\LocalMachine\My\
# Sign script
Set-AuthenticodeSignature C:\powershell.ps1 $fromrootcert
$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Type CodeSigningCert -Subject "Code Signing"
Move-Item -Path $cert.PSPath -Destination "Cert:\CurrentUser\Root"
Set-AuthenticodeSignature -FilePath c:\go.ps1 -Certificate $cert
source
https://blogs.u2u.be/u2u/post/creating-a-self-signed-code-signing-certificate-from-powershell