I need to have a "http*s*" enabled self hosted WCF service. Given that there need to be a certificate to have the service "s" enabled, I created the certificate using the following two commands in the same order:
makecert.exe -sv SignRoot.pvk -cy authority -r signroot.cer -a sha1 -n "CN=AuthorityName" -ss my -sr localmachine
and then
makecert.exe -iv SignRoot.pvk -ic signroot.cer -cy end -pe -n CN="localhost" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
Now to configure the port using SSL, netsh has to be used, which requires to be supplied with arguments certhash and appid. My best understanding is that I need to have the certificate to get these values. But where is the certificate I just created!!!????
I did try certmgr.msc, it showed the root as "Certificates - Current User". How to make it show the "localmachine" certificates, as marked by -sr option?
Again, where are my certificates!!??
The certificates are in the .CER files you specify on the command-line.
To use them you need to import them into the certificate store using the MMC/Certificate snap-in.
Related
I know the server need a self-signed CA. But how can I generate a CA, and where can I put it to make server's PowerShell 2.0 work? And what is CN matching?
The following is what happens when I run the command winrm quickconfig -transport:https:
WinRM already is set up to receive requests on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message
Error number: -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not
have an appropriate certificate. To be used for SSL, a certificate
must have a CN matching the hostname, be appropriate for
Server Authentication, and not be expired, revoked, or self-signed.
Unless you want to go to the trouble of setting up a full-fledged single-tier or two-tier PKI infrastructure (which would be a topic for ServerFault rather than StackOverflow) you could make do with makecert.exe to create a self-signed CA certificate and host certificates signed with it.
Create the CA certificate like this:
& makecert.exe -pe -r `
-n "CN=TestCA" `
-ss my `
-sr LocalMachine `
-a sha256 `
-sky signature `
"TestCA.cer"
Then create certificate for the host:
$cn = if ($env:USERDNSDOMAIN) {
"$env:COMPUTERNAME.$env:USERDNSDOMAIN"
} else {
$env:COMPUTERNAME
}
& makecert.exe -pe `
-n "CN=$cn" `
-ss my `
-sr LocalMachine `
-a sha256 `
-sky exchange `
-eku 1.3.6.1.5.5.7.3.1 `
-in "TestCA" `
-is my `
-ir LocalMachine `
-sp "Microsoft RSA SChannel Cryptographic Provider" `
-sy 12 `
"$cn.cer"
The CN (Common Name) is the subject of your certificate and for host certificates must match the computer's FQDN.
If you want to create host certificates for other hosts than your local computer you need to set $cn to the name/FQDN of the other computer. To get the certificate and private key to the destination computer export both from your certificate store (<serial> is the serial number of the certificate):
& certutil.exe -exportPFX -f -privatekey -p "password" "<serial>" computer.pfx
Copy computer.pfx to the computer for which you generated the certificate and import it like this:
& certutil.exe -importPFX -f -privatekey C:\path\to\computer.pfx
You'll be prompted for the password you specified when exporting the certificate.
On all machines that should use certificates signed by your TestCA you need to import TestCA.cer under Trusted Root Certification Authorities for the computer account.
& certutil.exe -f -addstore ca C:\path\to\TestCA.cer
Note that makecert.exe isn't available as a separate download anymore, but you can get it from the Windows SDK (download the ISO image and run the SDK Tools installer from the subfolder \setup\WinSDKTools).
Note also that using a makeshift CA like that is strongly discouraged for any kind of production environment.
I know its bad to just share a link, but I'm on a mobile and its better than nothing and uses all/mostly PS commands.
https://4sysops.com/archives/powershell-remoting-over-https-with-a-self-signed-ssl-certificate/
I'm trying to create a new sel certificate in order to specify a duration different than the one created by default from an application.
Using the command:
makecert.exe -b 10/10/2015 -m 36 -n "CN=MYSERVER.domain.com" -sk "MYSERVER.domain.com" -sky "exchange" -sr localmachine -ss my -in "SelfSignedCA" -ir localmachine -is root
but system prevent me providing "Fail to acquire a security provide from the issuer's certificate - Failed".
I'm not so confident in creating the certificates...any help?
thanks in advance!
I created a root ca using makecert:
makecert -r -pe -n "CN=MyRootCA" -b 01/01/2015 -e 01/01/2020 -ss root -sr localmachine -len 2048
I create a CRL for that root ca and imported this with certmgr:
makecert -crl -n "CN=MyRootCA" -r -sv MyRootCRL.pvk MyRootCRL.crl
I create a certificate(for client authentification) derived from my root ca:
makecert -pe -n "CN=MyClient1" -eku 1.3.6.1.5.5.7.3.2 -is root -ir localmachine -in MyRootCA -ss my -sr currentuser -len 2048
Now the question:
How can i revoke my created MyClient1 certificate?
I have a CRL in my certmgr but i dont see any possibility to add my MyClient1 certificate to this CRL.
(Im using Windows 7)
Can anyone help me with this problem?
You could use certutil to revoke the certifikate (according to the documentation here).
I have Fiddler configured to decrypt SSL traffic from a Java application.
But I am seeing the following error in the Fiddler log:
19:39:27:1726 Fiddler.CertMaker> [C:\Program Files (x86)\Fiddler2\MakeCert.exe -pe -ss my -n "CN=test.example.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 03/26/2013] Returned Error: Creation of the interception certificate failed.
makecert.exe returned -1.
Results from C:\Program Files (x86)\Fiddler2\MakeCert.exe -pe -ss my -n "CN=test.example.com, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 03/26/2013
Error: Fail to acquire a security provider from the issuer's certificate
Failed
Does anyone know how to fix this?
This likely means that you have a 3rd party encryption provider installed (e.g. Entrust or some VPN software) that is preventing MakeCert from generating the End-Entity certificate from the FiddlerRoot certificate.
There are some ways to workaround that, but the simplest is to try using http://fiddler2.com/r/?FiddlerCertMaker instead, as it doesn't rely on makecert.exe.
I'm having an error trying to enable a SSL Certificate for the WS-AT module fot MSDTC:
I've already follow the steps to create the certificate:
How to: Create and Install Temporary Client Certificates in WCF During Development
But still got this error:
"Could not use the SSL Certificate because it does not support Key Encipherment or Digital Signature"
I also made sure that I am using an admin accont and Application Data --> Microsoft --> Crypto -->RSA --> key file has the necessary full permissions to the admin account I am using
I'm using IIS 7, on a Windows 7 machine
Any clues?
I've made it work, finally. I've used the next commands
makecert.exe -pe -n CN=MyCN -cy authority -r -sv C:\Mycer.pvk C:\Mycer.cer
makecert.exe -ss Root -sr LocalMachine -n CN=MyCN -cy authority -r -sv C:\Mycer.pvk
makecert -ss My -sr LocalMachine -n CN=MyFullDomainName -sky exchange -ir LocalMachine -iv C:\Mycer.pvk -ic C:\Mycer.cer
hope it helps someone