PowerShell Import-PfxCertificate Issue: Correct Certificate Store

opensslpowershellssl-certificate

I am trying to import a PFX using PowerShell, that has been created by OpenSSL from a cer and key file (the key was generated by OpenSSL along with a CSR, which was submitted to internal AD CA to generate the cer)

When viewing cert info in OpenSSL, I can see the PFX contains just a single cert and a private key, which is what I expect

If I run the below command, the cert is imported into intermediate certificate authorities, rather than the machine personal store as I have specified:

Import-PfxCertificate -FilePath $SharedPFXPath -Password (ConvertTo-SecureString -String $PFXPassword -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\My -Exportable

What could be the reason the Import-PfxCertificate command might be ignoring my cert store location?

EDIT: Just for some additional info, I thought I'd detail the commands used to generate the source cert and key files etc:

Start by creating a key and CSR

openssl.exe genrsa -out $KeyFilePath 2048
openssl.exe req -new -key $KeyFilePath -out $CSROutputPath -config $ConfigFilePath

The CSR config file contains this (actual DN values removed):

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
C = COUNTRY CODE
ST = COUNTY/STATE
L = TOWN
O = ORG
OU = OU
CN = COMMON NAME

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = SAN

Then I submit the CSR to AD CA, and save the BASE64 encoded cert. I use this and the key file to create the PFX

openssl.exe pkcs12 -export -in $CertPath -inkey $KeyFilePath -out $PFXPath -passout pass:$PFXPassword -nomac

I had to add -nomac to my PFX command, as otherwise I got an incorrect password error every time I tried to manually import the PFX into the cert store. Not sure if this would contribute to my issue, or if some of my earlier commands might be causing me some problems?

Best Answer

This issue is linked to similar issues mentioned here

I am using OpenSSL 3.0 on Windows to generate my certs and PFXs etc. and whilst I had the same "Incorrect Password" issue as this other question, which was resolved by adding -nomac, I had not added the other options.

After adding -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES to my PFX export command, I no longer have any issues and my cert is imported into my specified store

Related Solutions

Ssl – Exporting SSL Cert private keys in IIS 7.0

IIS still has the option to export the certificates directly; alternatively, you can export the certificate using the "Certificates" MMC snap-in (certmgr.msc).

certificate

If this isn't available, you may have set the private key as non-exportable during the key creation process.

Easiest way to generate PFX certificate (Windows)

Right, Well I scripted it then.

I still believe that there is an easier way with certreq and powershell but here is the bash script. Requirements: Cygwin, standard UNIX utilities, clip, openssl

#!/bin/bash
iexplore='/cygdrive/c/Program\ Files\ \(x86\)/Internet\ Explorer/iexplore.exe';
printf "\033c";
echo -e "This function automates IIS7 certificate generation for <YourCompany>";
type openssl > /dev/null 2>&1 || { 
    echo "Cannot find OpensSSL, it is required to generate certificates.  Aborting..." 1>&2;
    exit 1
};
openssl version;
echo -e "\n";
read -p "What is the server hostname (NOT FQDN!): " Hostname;
if [[ $Hostname =~ ^[A-Za-z0-9]+$ ]]; then
    echo -e "Server name:\t"$Hostname"\nFQDN:\t\t"$Hostname".<yourDomain>\n";
else
    echo ""$Hostname" doesn't look quite right... Exiting";
    sleep 3;
    exit 1;
fi;
mkdir ~/Desktop/certs_temp > /dev/null 2>&1;
cd ~/Desktop/certs_temp;
echo "
[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password = testpassword
output_password = testpassword

[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:"$Hostname"

[ req_distinguished_name ]
countryName = AU
stateOrProvinceName = NSW
localityName = Sydney
0.organizationName = <OrgName>
organizationalUnitName = <OrgUName>
commonName = "$Hostname".<YourDomain>" > openssl.cfg;
openssl req -out openssl.csr -new -newkey rsa:2048 -nodes -keyout pk.key -config openssl.cfg > /dev/null 2>&1;
openssl rsa -in pk.key -out openssl.key > /dev/null 2>&1; rm pk.key;
echo -e "Now, upload this Code Signing Request to the Internal Certificate Authority: \n\t- The CSR content has been copied into your clipboard\n\t- You do not require to set any subject alternate name\n\t- Once submitted, open "Certificate Authority" via MMC (<ServerName>), issue pending certificate and export it (Open / Details / Copy To File) Base64 to ~/Desktop/certs_temp/openssl.cer\n";
eval $iexplore https://<ServerName>/certsrv/certrqxt.asp;
cat openssl.csr | clip;
read -p "Press [Enter] when openssl.cer certificate has been place in ~/Desktop/certs_temp";
if [ -f 'openssl.cer' ]; then
    cat openssl.cer >> openssl.key;
    echo '
-----BEGIN CERTIFICATE-----
<CompanyIntermediate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<CompanyRoot>
-----END CERTIFICATE-----' >> openssl.key;
    mv openssl.key ""$Hostname".pem";
    echo "Converting PEM Chain certificate to PKCS#12 (.pfx)";
    openssl pkcs12 -export -out ""$Hostname".pfx" -in ""$Hostname".pem";
    explorer .
else
    echo "Cannot find openssl.cer in ~/Desktop/certs_temp... Exiting";
    sleep 3;
    exit 1;
fi

The script :

Generates a private key and code signing request based on a config file.
Copies the CSR in the clipboard and open IIS webpage to request the cert.
Prompts the user for issuing the pending certificate and export it base64
Creates PEM, then export it as PKCS#12 (.pfx)

Note: You have to change the path for Internet Explorer for Win 32bit and have to replace < ServerName > specific tags.

Best Answer

Related Solutions

Ssl – Exporting SSL Cert private keys in IIS 7.0

Easiest way to generate PFX certificate (Windows)

Related Topic