certificates with SDK tools (makecert, pvk2pfx) - certificate

I need to make two certificates: CA sert and Server cert.
I use this commands.
makecert -r -pe -n "CN=CACert" -a sha1 -sky signature -cy authority -sv CACert.pvk CACert.cer
certutil -addstore Root TGCA.cer
makecert -pe -n "CN=ServerCert" -a sha1 -sky exchange -ic CACert.cer -iv CACert.pvk -sv ServerCert.pvk ServerCert.cer
pvk2pfx -pvk ServerCert.pvk -spc ServerCert.cer -pfx ServerCert.pfx
Then I import ServerCert.pfx to certificate storage.
Why they do not contain private key in storage?

Why don't you try to generate pfx file by passing the private key password as an argument?
Try it this way
pvk2pfx -pvk ServerCert.pvk -spc ServerCert.cer -pfx ServerCert.pfx -pi password
As the documentation says:
/pi pvkpassword
Specifies the password for the .pvk file.
Source: http://msdn.microsoft.com/en-us/library/windows/hardware/ff550672(v=vs.85).aspx

So, after a long dance with a tambourine I found a solution. Problem was in UI. My goal was to import pfx to localmachine storage. It's impossible to do by starting pxf file from folder.
When pxf imports wihout pvk pass, the internal private key do not imports. Password do not requests when importing to localmachine storage by MMC.
What I made:
Import pxf-file from file explorer to CurrentUser "My" strorage (entering pvk password).
Export certificate from storage to new pxf with password.
Import new pxf to localmachine "My" storage with MMC.
I don't know other ways.

Related

Why does creating my self signing certificate fail?

I am trying to generate a self signing certificate but am unable to accomplish it. I am using this command to create a self signing certificate authority:
makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
Which by all accounts works, and I can view the new entry under the Trusted Root Certification Authorities.
Next I use the following command to create a signing certificate:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root1.cer
But the command fails with:
Error: Can't load the issuer certificate ('root1.cer')
Failed
I was of the impression that the -ic switch would create the root1.cer file, but the error seems to indicate that it can't load it? Where am I going wrong with this?
When attempting to creating a Self Signed Certificate it does not require another certificate to generate it. Because as the name states, it is Self Signed (it is signed by the private key that belongs to the public key it contains).
When creating a common certificate you should provide a parent to make use of it. When verifying authenticity of this child certificate you should also have the parent certificate installed on your machine. This is the concept of Chain Trust.
See in your 'Local Machine' store, under trusted root certificates, you should have .cer from many Authority Agencies, such as Verisign for instance.
-iv Stands for Issuer's Private Key. (Parent .pvk)
-ic Stands for Issuer's Certificate. (Parent .cer)
In your first command, you created root.cer.
makecert [...] -r -sv root.pvk root.cer -ss Root -sr localMachine
In your second command, you told it that the issuer certificate was in root1.cer (with the parameter "-ic root1.cer"). That is what led to the error message that it could not find root1.cer.
So, change the 'root1.cer' in the second command to 'root.cer'. It should look like this:
makecert -pe -n "CN=PowerShell User" -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer -sv powershelluser.pvk powershelluser.cer
This does the following:
Generates a new key, placing it in powershelluser.pvk.
Uses the key in root.pvk to sign the new certificate, and uses the information in root.cer to set the Issuer of that new certificate.
Writes the new certificate to powershelluser.cer, and also writes it to the "Personal" certificates store in CurrentUser.

makecert requesting password

Given the following powershell function:
function CreateRootCertificate($certificateName, $path, $certificatePassword){
makecert -r -pe -n "CN=$certificateName" -sky exchange $path\$certificateName.cer -sv $path\$certificateName.pvk
pvk2pfx.exe -pvk $path\$certificateName.pvk -spc $path\$certificateName.cer -pfx $path\$certificateName.pfx -po $certificatePassword
}
makecert is prompting me to enter the certificate password. From what I understand it wont do this, if the *.pvk file already exists, and has a password set upon it.
SO my question is, how do I split my single makecert command in two separate commands, one to create the *.pvk and another to create the *.cer?
Many Thanks
“Makecert.exe” will always prompt for password when creating a private key.
One way around this prompt may be to write code/macro, to find the password input window and enter your password in it.
The other is to use OpenSSL. In OpenSSL use
openssl genrsa -aes128 -passout pass:password -out $certificateName.pvk 2048
to generate a private key with passphrase.
If you do work with certificates a lot, I would recomend to forget “makecert.exe” altogether and use OpenSSL instead.

How to import a certificate with private key on Certificate Management Tool

By now the only way i'm able to import a certificate on Certificate Management Tool is by having a .pfx file. I'm using Makecert.exe utility to generate certificates.
First Step - I generate a Certification Authority by using the following command:
makecert.exe -n "CN=TestCA" -r -sv TestCA.pvk TestCA.cer
Second Step - I generated the private key file and the certificate file
makecert.exe -n "CN=TestCert" -sv TestCert.pvk -iv TestCA.pvk -ic TestCA.cer TestCert.cer -sky signature -pe
Now I'm able to see that I generated 4 Files, TestCA.pvk, TestCA.cer, TestCert.pvk, TestCert.cer
When importing i'm not able to choose a pvk file from the Certificate Management Tool.
After researching a little, I found a microsoft utility named Pvk2Pfx.exe to overcome this issue.
This utility takes two files and merges them into one .PFX File which is what Certification Management Tool uses to import Certificates with private keys.
Here is the documentation to use it: http://msdn.microsoft.com/en-us/library/windows/hardware/ff550672(v=vs.85).aspx
And I will add the full command used to generate de .pfx File
pvk2pfx -pvk TestCert.pvk -pi TestCertPassword -spc TestCert.cert -pfx TestCert.pfx -po TestCertPassword -f

How can use a X.509 certificate created on another computer?

I need to encrypt an XML file with a x509 certificate on one computer and be able to decrypt it with the same certificate on another computer. It doesn't seem to work for me like Microsoft suggests:
http://msdn.microsoft.com/en-us/library/ms229744.aspx
The decryption process always fails on another computer!
I create a certificate by using the following command:
makecert -r -pe -n "CN=DEEP_201X" -b 01/01/2011 -e 01/01/2014 -sky exchange -ss my deep.cer
Then I install it by using:
certmgr /add deep.cer /s root
And try to get its private key with the FindPrivateKey.exe utility:
FindPrivateKey My CurrentUser -n "CN=DEEP_201X"
Works great. However, when I perform all the same actions to install the certificate on another computer FindPrivateKey will fail with
No certificates with key 'CN=DEEP_201X' found in the store.
when I use
certmgr /add deep.cer /s my
the error message will be like this:
Unable to obtain private key file name
Could someone please give me a piece of advice on how to make it work?
I suspect that you only need the private key on the decrypting computer.
However...
If you really need the private key on both computers, be aware that The .cer file does not include the private key.
(I think) makecert adds it to the local machine when it generates the cert. You can write it out using the -sv option. Then build a pfx container for the certificate that contains it.
makecert -r -pe -sv myprivatekey.pvk -n "CN=DEEP_201X" -b 01/01/2011 -e 01/01/2014 -sky exchange -ss my deep.cer
pvk2pfx -pvk myprivatekey.pvk -spc deep.cr -pfx deep_private.pfx
I haven't been able to convince certmgr to import private keys from the commandline. Use it in gui mode or use the certmgr.msc snap-in.

Where is the private key?

Two simple questions about makecert command,
Suppose I am using the following command:
makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
Will the private key automatically registered somewhere in certificate manager or the private key will just be in file root.pvk?
Suppose I am using the following command:
makecert -r -pe -n "CN=XYZ Company" -ss my
After executing this command, where is the private key stored (since I did not specify -pe option, the private key is not embedded in the certificate, but where it is) ?
Even without the -pe (enable private key export) the private key should still be stored in the certificate store you have specified. In your example that store is the LocalMachine physical store and the TrustedRoot logical store. You can check by opening up mmc (start->run->mmc) and adding the Certificates snap in and selecting "Computer Account" as the store.
An even simpler test is:
makecert -sk myKey -n "CN=test" -ss my -pe
Then start->run->certmgr.msc (which opens the certificate manager for the local user store) and check the Personal certificate store. In there you should have a certificate called test with a private key attached.
You can then right click the certificate and export it to a .pfx file to get a single file that has the certifcate AND the private key embedded.
Edit:
The -pe option stands for private key exportable. If -pe is used you will have the option of exporting the key from certmgr with the private key. If you don't use -pe then you will not get the option of exporting the private key (my comment below should say "without -pe" not "with -pe").