Background: I need to test an https endpoint for a WebRole on Windows Azure. For that I need to upload a self-signed certificate, add the certificate's thumbprint to the WebRole's configuration and finally associate the endpoint with that configured certificate.
I created a self-signed certificate using makecert.exe, which is available through the Visual Studio Command Prompt. I used the following command:
makecert.exe -r -pe -n "CN=test.cloudapp.net" -sky exchange -ss my -len 2048 test.pfx
The command succeeds and I can upload the certificate file to the Windows Azure hosted service. But deployment of the WebRole fails with the following error:
Certificate with thumbprint 6AB... associated with HTTPS input
endpoint Endpoint2 does not contain private key.
I have to export the certificate from the my store, and choose to include the private key and provide a password. If I upload this exported certificate file and use its thumbprint, then deployment succeeds.
I want to create a certificate file that includes the private key, without first saving the certificate to any store and exporting it from the store. Is that possible using makecert.exe?
To create a certificate without saving it to any store you'll need to use pvk2pfx.exe (available through the Visual Studio Command Prompt).
It works like this:
makecert.exe -sv CertKey.pvk -n "CN=My Azure Certificate" CertKey.cer
pvk2pfx.exe -pvk CertKey.pvk -spc CertKey.cer -pfx MyPFX.pfx -po yourPasswordHere
Running makecert.exe will aks you for a password for the private key. You'll need to enter that password for the -po argument of the pvk2pfx.exe command.
Finally you'll have a pfx file (containing private key) named MyPFX.pfx
Related
I was following commandline installation of CLM 6.0.5 with liberty profile (distributed environment) and I could complete the installation part of application successfully by following the ibm documents.
Also Ii have installed the IBM HTTP Server in separate server and now I need to do the SSL certificate import and handshake with the loberty profile.
The reference link which I am using here. - https://jazz.net/wiki/bin/view/Deployment/CLMDistributedSetupUsingLibertyProfile
part 1 -Create a key database and self-signed certificate for IHS
I completed these steps by below 2 Using gskcmd, command line and it was success.
On the IHS machine, Open a command terminal and cd to /bin, e.g. /opt/IBM/HTTPServer/bin,
Create the key database
./gskcmd -keydb -create -db ihskeys.kdb -pw xxxxx -expire 3650 -stash -type cms
Create the self-signed certificate for IHS URL
./gskcmd -cert -create -db ihskeys.kdb -label default -expire 3650 -size 2048 -dn "CN=xxxxx" -default_cert yes -pw xxxxx
But in part 2- Setup SSL Handshake between the Liberty profiles and IHS
I couldn't find any proper commandline guidance to do this through commands. From each application servers (JTS, CCM, QM, RM) I copied the default keystore files ([JAZZ_HOME]\server\liberty\servers\clm\resources\security\ibm-team-ssl.keystore)
to IHS server and I need to import these keystore file to IHS kdb file through command line. I tried with various option and its getting failed.
./gskcapicmd -cert -import -db /opt/IBM/HTTPServer/ibm-team-ssl.keystore -pw ibm-team -target /opt/IBM/HTTPServer/key.kdb -target_pw ibm-team
it's giving error as invalid keystore format. Here my aim is to import these copied keystore files to IHS kdb file in personal certificate)
IHS includes two command-line certificate management tools, only the java-based "[IHS Home]/bin/gskcmd" (aka ikeycmd) can read or write *.jks java keystores.
I want to create personal certificate, using existing certificate as issuer. I have both cer and pvk files for issuer. I'm using makecert with next parameters:
makecert.exe ^
-n "CN="domainname.com" ^
-iv CARoot.pvk ^
-ic CARoot.cer ^
-a sha512 ^
-len 4096 ^
-sky exchange ^
certificatename.cer
where CARoot is previously created certificate serving as Certificate Authority.
Everything works as expected - certificate is properly created, having CARoot as issuer.
My current concern is, that I want to avoid any UI while certificate is generated (since it will be part of automated process). For now, UI window appears for password of pvk file.
Can I somehow put password in command line?
There is same discussion here.
When using MakeCert to create a self-signed certificate it will show popups to enter the passwords for the private key. There is no option available to run MakeCert in silent mode and prevent it from showing the popup windows. You can check the following codeproject to use the provided JavaScript code to run MakeCert without the password popup windows.
You can also use some custom commands like "winpr-makecert" with "-Silent" option.
For more information see here.
I know the server need a self-signed CA. But how can I generate a CA, and where can I put it to make server's PowerShell 2.0 work? And what is CN matching?
The following is what happens when I run the command winrm quickconfig -transport:https:
WinRM already is set up to receive requests on this machine.
WSManFault
Message
ProviderFault
WSManFault
Message
Error number: -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not
have an appropriate certificate. To be used for SSL, a certificate
must have a CN matching the hostname, be appropriate for
Server Authentication, and not be expired, revoked, or self-signed.
Unless you want to go to the trouble of setting up a full-fledged single-tier or two-tier PKI infrastructure (which would be a topic for ServerFault rather than StackOverflow) you could make do with makecert.exe to create a self-signed CA certificate and host certificates signed with it.
Create the CA certificate like this:
& makecert.exe -pe -r `
-n "CN=TestCA" `
-ss my `
-sr LocalMachine `
-a sha256 `
-sky signature `
"TestCA.cer"
Then create certificate for the host:
$cn = if ($env:USERDNSDOMAIN) {
"$env:COMPUTERNAME.$env:USERDNSDOMAIN"
} else {
$env:COMPUTERNAME
}
& makecert.exe -pe `
-n "CN=$cn" `
-ss my `
-sr LocalMachine `
-a sha256 `
-sky exchange `
-eku 1.3.6.1.5.5.7.3.1 `
-in "TestCA" `
-is my `
-ir LocalMachine `
-sp "Microsoft RSA SChannel Cryptographic Provider" `
-sy 12 `
"$cn.cer"
The CN (Common Name) is the subject of your certificate and for host certificates must match the computer's FQDN.
If you want to create host certificates for other hosts than your local computer you need to set $cn to the name/FQDN of the other computer. To get the certificate and private key to the destination computer export both from your certificate store (<serial> is the serial number of the certificate):
& certutil.exe -exportPFX -f -privatekey -p "password" "<serial>" computer.pfx
Copy computer.pfx to the computer for which you generated the certificate and import it like this:
& certutil.exe -importPFX -f -privatekey C:\path\to\computer.pfx
You'll be prompted for the password you specified when exporting the certificate.
On all machines that should use certificates signed by your TestCA you need to import TestCA.cer under Trusted Root Certification Authorities for the computer account.
& certutil.exe -f -addstore ca C:\path\to\TestCA.cer
Note that makecert.exe isn't available as a separate download anymore, but you can get it from the Windows SDK (download the ISO image and run the SDK Tools installer from the subfolder \setup\WinSDKTools).
Note also that using a makeshift CA like that is strongly discouraged for any kind of production environment.
I know its bad to just share a link, but I'm on a mobile and its better than nothing and uses all/mostly PS commands.
https://4sysops.com/archives/powershell-remoting-over-https-with-a-self-signed-ssl-certificate/
I have been having this issue for about 2 weeks. I have done a lot of research and tried different ways but no joy. I have a development website on my computer (Windows 7 Pro) with sql server 2008 r2 and using IIS 7.5. There is an actual development server running the database and Webserver but because of my location I cannot use the main development site. I issued a self signed Trusted Root Certificate:
makecert -r -pe -n "CN=ROOT AUTHORITY" -ss my -sr CurrentUser -a sha1 -sky signature -cy authority -sv ca.pvk ca.cer
Then I install that into the trusted root on the local computer. After that I created a certificate for IIS to use.
makecert -pe -n "CN=example.website.name.com" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -ic ca.cer -iv ca.pvk -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -sv server.pvk server.cer
Then I create the .pfx file for IIS
pvk2pfx -pvk server.pvk -spc server.cer -pfx server.pfx
After I do the above. I import the certificate into IIS and then I bind the website to the SSL certificate (server.pfx)
After all that is done, I go on the website https://example.website.name.com and I get 403.7 forbidden.
Can somebody please help me out with this issue?
take a look at some of these pitfalls...
Server Issue #1 - The client cert passed in has 1 or more certification paths that do NOT exist on the server. Open the cert go to certification path (tab) and make sure each of the root authorities are in the SERVERS trusted root certificate authorities. Note, you DO NOT need to install the cert on the server just the root authorities public keys under Certificates (Local Computer) \ Trusted Root Certification Authorities.
Server Issues #2 (previously mentioned solution) - In IIS, for the site, make sure the SSL Settings are set to Accept OR Require (never ignore). The benefit of using Require is that the IIS logs will show you are 403 7 error where as Accept will just get your the IsPresent == false but with a 200 http code.
Client Issue #1 - Same as server issue #1, got to trust those authorities!
Client Issue #2 - You have the trusted root authorites but NOT the private key for the cert itself. Make sure you install the pfx (private key) into the cert store not the public key (.cer). You can also see if you have the private key by double clicking the cert in the cert store and on the general tab you should see a message saying as much.
Client Issue #3 - You put the cert in the wrong place. Probably best to place your cert in Certificates (Local Computer) \ Personal \ Certificates, rather than (current user). This will make the cert available to process accounts that are running your code and actually need access to it.
Client Issue #4 - Right mouse click the cert (in the store not a .cer file) --> All Tasks --> Manage Private Keys... and make sure the process account running your code has "Read" permission. A quick test of this (but not recommended for production use) is to add "Everyone" as read to see if this is your issue
I have a WPF and WCF app that requires to install the certificate (.pfx) on the client side to enable WPF calling the WCF service.
Now how can I prevent the client to export the certificate from his certificate store (so that he won't be able to grab the .pfx file and install it on another client computer)?
Generate Certs for WCF
Generate a Certificate Authority Cert
makecert -r -pe -n "CN=MyCA" -ss my -sr localMachine MyRootPublicCert.cer
-r Create a self signed
-pe Mark generated private key as exportable
-ss Subjects certificate store names that stores the output certificate
-sr Subjects certificate store location
The file pops up in the personal certs store of the machine you generate the cert from.
This is the file you will need to import into your server/client as a trusted root authority (rt click on the .cer file you created and install certificate, put it into Trusted root certification authorities)
Generate Server Cert
You need to export the cert with the private key inside in order to use it on the server, so from the machine you created the CA cert on open mmc, certificates add-on, Personal, click on cert, >> rt click >> all tasks >> export >> select yes, export the private key >> select .PFX >> choose a password >> name this file something like NamePrivateKeyCert.pfx
Install this cert into the Personal Store of the server machine and use it to host the service.
Create Client Cert
Create server certificate from CA machine. This will generate a cert file with the private key embedded:
makecert -a sha1 -n "CN=ClientCert" -sky exchange -pe -ss My -sr LocalMachine -in "TestCA" -is my -ir localMachine TestPublicCert.cer
Take this cer file and install it on the client machine in the Trusted People store
Recap
Create a CA cert (or use the one you already have if you purchased one)
From the CA export a .pfx file that is password protected (Private Cert)
Create a Public Cert from the CA cert (Public Cert)
Then
Install the CA CA.cer into the Trusted Root Cert Authorities store on Client and Server
Install the Private.pfx file into the Personal store of the server
Install the Public.cer into the trusted people store of the client
Ready to go.