I am trying to export a certificate public and private key to a PFX file via a powershell script. I am currently using the following code
Get-ChildItem -Path Cert:\CurrentUser\My\$Thumbprint | Export-PfxCertificate -FilePath $OutputFile -Password $privateKeyPass -ChainOption EndEntityCertOnly
However, when I work with the resulting PFX file in something like certutil, it doesn't ask for a private key password. For example here is an example of what I get when i dump the cert with certutil:
> certutil -dump cert.pfx
Certificates: Not Encrypted
================ Certificate 0 ================
[cert data removed]
---------------- End Nesting Level 1 ----------------
Key Container = PfxContainer
Provider = PfxProvider
Encryption test FAILED
CertUtil: -dump command completed successfully.
If I use the certificates MMC snapin to export the cert I can select the "Enable certificate privacy" option and it will export an encrypted certificate.
My question is...
Is there a way to tell the export-pfxcertificate cmdlet to enable certificate privacy so that it is encypted? If not, what other solution do I have?
Related
I have a digital certificate that I'm using for a specific task. I need to export the details of the certificate such as the serial number and issuer to a csv file that is already on my computer using PowerShell. Please keep in mind this is a digital certificate that is not installed on my computer but was sent to me and I downloaded it.
you can get the certificate details using the command Get-PfxCertificate as follow
$certpath = 'D:\cert.cer'
Get-PfxCertificate -FilePath $certpath | Export-Csv .\cert.csv -NoTypeInformation
Ref: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-pfxcertificate?view=powershell-5.1
p12 file with 7 certificates in it.
Following the instruction that came along with the cert file, we have to use MMC and a password to import all certs into a personal store.Instruction also says to check mark private key exportable.
in order to automate this, I tried using certutil -importpfx but that only added 4 out of 7 certificates. I am unable to see other 3 certs. The diff i noticed is the imported certs are the ones with "ext issuing CA" and missing certs are with "issuing CA" in the Subject .
Any pointers please
I found an alternate solution using powershell instead of certutil .
Import-pfx with flag -exportable imported all the certs.
Import-PfxCertificate -CertStoreLocation Cert:\LocalMachine\My -Password $Securepwd -FilePath $findP12Cert.FullName -Exportable -Verbose
I have a .crt and .key file, from which I am creating a .pfx file using OpenSSL. I am trying to use PowerShell to import the .pfx file into Cert:\LocalMachine\My, then I'll use that certificate for OpenVPN. Using the following code, I am not getting any errors on the import:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$cert.import("$env:TEMP\$site.pfx", $certPassword, "PersistKeySet")
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("My", "LocalMachine")
$store.open("MaxAllowed")
$store.add($cert)
$store.close()
I can see the cert in the MMC, but OpenVPN's log file shows:
error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Keyset does not exist
I have tried $certPassword as both a string and secure string. When I import the certificate via the GUI (copying the password from the content of $certPassword), OpenVPN starts normally.
I also tried this code but saw the same behavior:
Import-PfxCertificate -Password ($certPassword | ConvertTo-SecureString -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\My -FilePath $env:temp\$site.pfx
Finally, I am running the PowerShell session elevated.
What could I be doing wrong? Thanks.
Since you are adding the certificate to the LocalMachine\My store you probably want to import it with X509KeyStorageFlags.MachineKeySet
That might be
$cert.import("$env:TEMP\$site.pfx", $certPassword, "PersistKeySet | MachineKeySet")
but I don't actually know PowerShell, so I don't know the flags syntax.
The second possibility is that the PFX import saved the key under CNG but OpenVPN didn't use the "I know what CNG means" flag. You can make the import load the key in CAPI by specifying the CSP value when building the PFX with openssl
openssl pkcs12 -export ... -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"
PowerShell 4.0
makecert tool has the -eku option for describing the enhanced key usage object identifiers (OIDs) into the certificate. It allows to make the certificates for code signing and for other purposes. But it is not a cmdlet.
New PowerShell versions have the New-SelfSignedCertificate cmdlet for local testing of the scripts. But it creates the certificate that can't be used for code signing:
New-SelfSignedCertificate -DnsName www.SomeSite.com -CertStoreLocation Cert:\CurrentUser\My
I don't see an option which is similar of -eku.
How can I set the destination of my new Self-Signed Certificate (created through New-SelfSignedCertificate cmdlet) for possibility of its use for code signing? Or is it possible to do the same via other cmdlet?
The version of New-SelfSignedCertificate on PS 4 is rather basic.
However Powershell v5 has the parameters that you would require to create specific keys.
Specifically a Keyusage parameter that takes
-- CertSign
-- CRLSign
-- DataEncipherment
-- DecipherOnly
-- DigitalSiganture
-- EncipherOnly
-- KeyAgreement
-- KeyEncipherment
-- None (default)
-- NonRepudiation
and a KeyUsageProperty taking
-- All
-- Decrypt
-- KeyAgreement
-- None (default)
-- Sign
Are you specifically tied to v4? If you can upgrade to v5 you should be able to achieve what you need.
Reviving this question as I was also looking for an answer to set Enhanced Key Usage (EKU) field for code signing using PowerShell New-SelfSignedCertificate command.
It can be done using the -TextExtension parameter to set EKU value. As an example, the following PowerShell (tested on PowerShell 5.1) script allows to create a 3-years self signed code signing certificate with extended key usage (and export it from the current user's certificates store to pfx file format):
# Enhanced Key Usage
$EKU = "2.5.29.37"
$EKU_CODE_SIGNING = "1.3.6.1.5.5.7.3.3"
$certificate = New-SelfSignedCertificate -Subject "CN=Testing Code Signing,E=info#mycompany.com,O=My Company" `
-FriendlyName "My Code Signing Certificate" `
-NotAfter (Get-Date).AddYears(3) `
-CertStoreLocation Cert:\CurrentUser\My `
-TextExtension #("$EKU={text}$EKU_CODE_SIGNING")
$password = ConvertTo-SecureString -String "mypassword" -Force -AsPlainText
Export-PfxCertificate -Cert "Cert:\CurrentUser\My\$($certificate.Thumbprint)" -FilePath "codesigning.pfx" -Password $password
Note: As a shortcut, the -Type CodeSigningCert parameter can be specified with the New-SelfSignedCertificate command instead of explicitly adding the EKU_CODE_SIGNING string to the -TextExtension parameter.
You can use PS' cert provider to access different cert stores (user vs machine), but that won't help with your OID problem. I suggest you look at .NET support for X509 certs. Google ".net x509 certificate" and you'll find the X509Certificate class on MSDN. From there read the class documentation and any overview documentation to see if creation of OIDs is supported. If .NET doesn't support it then you'd have to use P/Invoke to invoke native Windows CNG (cryptography next generation) APIs
I have to sign remote scripts with a certificate from the remote machine from which I have a .pfx file.
I would like to automate the scripting by supplying the password to the Get-PfxCertificate programmatically.
So the question is:
Is it possible to somehow supply programmatically the required password to
Get-PfxCertificate?
$CertPath = "my.pfx"
$CertPass = "mypw"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertPath, $CertPass)
Set-AuthenticodeSignature -Certificate $Cert -TimeStampServer http://timestamp.verisign.com/scripts/timstamp.dll -FilePath $OutputFilename
Make sure you have the proper permissions otherwise you won't be able to create an instance of the X509Certificate2 object.
I did a bit of checking around on this and couldn't find a clean way to provide the password programmatically. I suspect it is meant to be this way for security reasons. Either that or the PowerShell development team just blew it by not including a Credential parameter for this cmdlet. The only other option I can think of is to use someting like SendKeys to send the individual password character key presses to the PowerShell console at the right time via a background job (blech - just threw up in my mouth a little). :-)
Another way of doing this is by loading your certificate directly from your certificate store using PS Providers. Use Get-PSProviders to determine available PSProviders on your machine.
Once you have cert provider loaded, you can now get the certificate using Get-ChildItem
Launch certmgr.msc from run to launch the certificate store
Assuming that your certificate is stored under Personal folder in your cert store and has "Company Name" set in the subject property of the certificate, and there is only certificate in that folder with Company Name in the subject - you can get the certificate like so
$my_cert = Get-ChildItem cert:\CurrentUser\My | ? {$_.Subject -match "Company Name"}
$my_cert will be your certificate object that you can pass directly to Set-AuthenticodeSignature cmdlet
Set-AuthenticodeSignature -Certificate $my_cert -FilePath fqn_to_dll.dll -Timestampserver "http://timestampurl"
post signing, you can retrieve the sign status by querying on the Status property for "Valid" or not like
$result = Set-AuthenticodeSignature -Certificate $my_cert -FilePath fqn_to_dll.dll -Timestampserver "http://timestampurl" | Select Status
if(-Not ($result -eq "Valid")){
Write-Output "Error Signing file: Status: $($result.Status)"
}