I have a .cer file that was generated with a new expiry date from a previous CSR. When I import it into certmgr on a Windows Server 2016 box (logged on as the correct user etc), it doesn't have a primary key as the previous cert did.
I've tried using certutil -repairstore my [new cert serial number], and got the below error, no matter how I format the serial number:
CertUtil: -repairstore command FAILED: 0x80090011 (-2146893807 NTE_NOT_FOUND)
CertUtil: Object was not found.
I also tried certreq -accept -user [path to .cer file] and got the below error (same with machine option):
A certificate issued by the certification authority cannot be installed. Contact your administrator.
Cannot find object or property. 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND)
I would have thought since I have the private key for the original cert, it should pick it up for the new one fairly easily? I'm happy to generate a new CSR if necessary, I'd just like to simplify the process and understand how to renew rather than replace.
Related
I am attempting to set the KeySpec flag on an existing certificate for use in a SQL server encryption role. Current KeySpec is 0, and I need it to be a 1.
The way to do this is by first exporting the cert, its private key, and key usages into a .pfx file (with a password, regardless of what it claims). Then, utilizing certutil, run certutil -importpfx AT_KEYEXCHANGE.
This "works" in that it prompts for the password (which is typed in correctly), but it fails with this error message:
CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)
CertUtil: The requested operation is not supported.
Unfortunately, there's not much online that I could find - just this one post apparently:
https://anotherexchangeblog.wordpress.com/tag/importpfx-command-failed-0x80090029/
That one appears to indicate that it's a problem with permissions on a directory located at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys. Specifically, that "SYSTEM" had permissions on it, which he removed and got certutil working. However, my copy of that directory does not have SYSTEM with permissions - it looks to be the same as his picture.
Not a whole lot more to go on, and this certutil import method appears to be the only way to set KeySpec to 1. What can I do from here to allow me to import that key with the correct KeySpec flag?
I encountered this issue after generating my private key with Template = (No Template) CNG Key
To convert from CNG key back to Legacy Key you can use OpenSSL (https://www.google.com/search?q=Download+windows+OpenSSL) to re-encode the certificate
Export your current certificate to a passwordless pem
openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes
Convert the pem file to a new pfx file with password:
openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem
You can avoid the problem by generating your CSR using Template = (No Template) Legacy Key
Good Luck!
I work at Microsoft. My customer got this today and we couldn't fix it. We ended up making a new CSR.
This is the main article that explains how key specs work and CNG versus a legacy Cryptographic Service Provider.
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/ad-fs-and-keyspec-property
What you can do is go to your MMC snap in for certificates. Right click on the personal store -> All tasks -> Advanced Operations -> Create custom request.
Proceed without an enrollment policy -> select Legacy template, -> PKCS #10 -> Next -> DETAILS -> Properties
Put a friendly name -> Add a common name -> Add a DNS names for any SANs you need-> on Extended Key Usuage select Server and Client Authentication -> on the Private Key Tab -> select Microsoft Strong Cryptographic Provider -> for Key Options you want 2048 -> Make the private key exportable -> Key Type tab -> select Exchange
This will generate a (CSR) Certificate Signing Request and then have your Certificate of Authority full fill it.
It is possible to make certutil import use the legacy Strong Cryptographic Provider by specifying the -csp argument.
certutil -csp "Microsoft Strong Cryptographic Provider" -importpfx -f -enterprise my mycert.pfx AT_KEYEXCHANGE
I received following files from another department in my company which I am supposed to install on my Tomcat 8.5 Webserver in order to activate HTTPS and use TLS/SSL:
csr.pem
ca.pem
intermediate.pem
certificate.crt
Most tutorials I found online guide through the process of creating the keystore, generating a CSR and installing the certificate received afterwards. My company wishes to use it's wildcard certificate, so the certificate and related files exist already.
I tried to generate a new keystore with my own private key & import ca, intermediate & certificate in it, but I'm getting an error which says that the public key doesn't match with my keystore.
I guess, this is because I need to import the private key used to generate the CSR before. But since I don't have it, I want to make sure - is it possible to install the certificate without the private key (respectively generating my own private key) or did they possible forget to send it along?
Wildcard or not, a certificate without its associated private key is useless.
As they are used in asymetrical cryptography, operations need the public key (contained in the certificate) and the private key (stored separately).
And they are generated together, you can not have a certificate and then later on generate a new key and associate with it. A CSR, which later becomes a certificate, includes some information derived from the private key.
I would like to import an SSL certificate on an Microsoft Azure Website.
I generated the .csr request file using the windows command "certreq" direclty on mylaptop (not on the server).
I retrieved an CER certificate using this .csr file.
But know I'm blocked, the Azure websites page wants a .pfx file and refuse the .cer file.
I tried to use www.sslshopper.com to transform my .cer certificate into a .pfx file but it needs the private key...
So Here are my questions :
* Can I transform a .cer to .pfx without a the private key ?
* how can I get the private key used by the certreq command of my laptop ?
Thanks !
As I known, certreq would store your private keys in your certificate store when it generates CSRs. And you need to finish the certificate request on the same computer where you generated the CSR request. There is issue about finding the private key after using certreq for CSR generation.
Based on your description, you could follow this tutorial to import your signed certificate into the windows local computer certificate store by using certreq, then click "Start > Run", type certmgr.msc to manage computer certificates, right click the certificate root node and choose "Find Certificates" to find your certificate as follows:
Click export your certificate, choose the option "export the private key", then export your certificate to .pfx file. Also, you could leverage DigiCertUtil to export your certificates.
Additionally, for more flexibility over your private key than certreq, you could use OpenSSL command line tool to generate your private keys and your certificate signing request instead of certreq. Also, for a simple way, you could use this GUI tool startcomtool to generate your CSR and export the certificates.
You need to associate private key with issued certificate. Depending on context used in certreq (current user or local machine context) run appropriate command:
certreq -user -accept path\certfile.cer
Or
certreq -accept path\certfile.cer
I've currently encountered a unique issue. To help understand the predicament I'll provide some background. Our company hired a third-party to develop an application, apart of this web application package was the purchase of an SSL Certificate.
After they purchased the SSL they exported it into a Personal Information Exchange (.pfx).
The issue now occurs here...
Our company web-server utilizes the Plesk Panel 11. Which complicates matters for two reasons.
The first is that if I directly install the certificate Plesk will
not recgonize the certificate and will eventually overwrite the
contents in our Microsoft Certificate Store within the Windows
Server MMC Certificate Snap-In.
The second issue is sheer bad luck, Plesk doesn't recognize the .pfx extension. It apparently only understands the following:
Private Key (.key)
Certificate (.crt)
CA Certificate (-ca.crt)
So my original thought was to simply convert the file into a valid format, which resulted in an error. The second attempt was to follow a command line control to export the file format to the valid extension. The results are still disappointing:
Error: Invalid Certificate Format
Since the file installed was a .pfx it does not allow me to convert it to anything else. Unfortunately when utilizing Open SSL it only converted to a .pem. Which to my dismay is also unsupported-
Any assistance would be terrific.
Update:
I attempted to follow this question on Stack Overflow. Unfortunately Windows Server 2012 doesn't appear to do the conversion as well. It does convert it into a valid format, but then the Private Key can't be found.
In order to solve this issue I followed this blog here.
So I attempted to utilize Open SSL again, with these steps:
// Extract Private Key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
// Extract Certificate
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
// Encrypted Private Key
openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]
Again you need to enter an import password. This time you need to enter the new password that you created in step 1. After that you’re done. You decrypted your private key. In the folder you ran OpenSSL from you’ll find the certifcate (.crt) and the two private keys (encrypted and unencrypted).
That is how I solved my question.
I'm confused about something in the SSL renewal process using WHM/cPanel for an existing Comodo Extended Validation cert.
We have been issued a replacement certificate by Comodo without - I believe - every submitting a CSR for them. I say "I believe" because there are 3 people with access to WHM for this server, but I'm assured that no one has been fiddling in the last year.
Does this sound possible? CAN a cert be supplied without a CSR if it's a replacement? I will attempt to get hold of Comodo but being a weekend, and seeing that the old cert runs out in a day I thought I'd consult the stackHiveMind :)
More info:
As a test, I've tried to install the new cert and 'fetch' the existing private key, but when I try to submit that I get the following error:
SSL install aborted due to error: Modulus mismatch, key file does not match certificate. Please use the correct key file
In some cases, yes, you can. Assuming you have an RSA private key in PEM format, this will extract the public key (it won't generate a certificate):
openssl rsa -in key.pem -pubout -out pubkey.pem
This will create a new CSR with the public key, obtained from the private key file.
openssl req -new -key key.pem -out host.csr
Note that, strictly speaking, a CA doesn't need you to submit a CSR to issue a certificate. All it needs is the public key (to which it will have access through your existing cert). It could potentially attach any Subject DN and attribute and issue it as a certificate without any need to contact you. Of course such practices might be incompatible with their policies, but technically, it's possible. The CSR is merely a convenient format for you to send a public key to request a certificate, and submit the name and attributes you would like (which you all sign together).
SSL install aborted due to error: Modulus mismatch, key file does not
match certificate. Please use the correct key file
Provided you've done the certificate operations properly, this could indicate that the new certificate you've been issued has been issued against a different key-pair than yours. This could indicate foul play, because someone else could have issued a CSR with their own key-pair and have had this certificate issued to them (which could be quite worrying since you're talking of an EV cert too, which is supposed to have additional protections against this.)
I would suggest checking with your colleagues if any have requested a new certificate or contacting your CA to find out why you've received a new certificate. Renewing the certificate using the previous public key might be part of their existing package. If it's using the same public key, it's not a problem, although it's better practice to change the key material, i.e. submit a CSR coming from a new key-pair, when renewing a certificate.