Hello S-1-1-0, PowerShell Crypto Guy still here and today we will talk about the subject. Sometimes you have to use 3rd party applications/tools for certificate request generation. Some of them uses Windows certificate store to store request and a corresponding private keys, but others generates a request file and separate file with unencrypted private key. As a common example are makecert.exe and openssl.exe tools. These applications creates a request file (mostly with .CSR or .REQ file extension) and private key file (mostly with .KEY or .PVK file extension) for UNIX-like systems compatibility. Once certificate request is signed you get a standard X.509 certificate file.
The problem occurs when you try to import this certificate to the Windows certificate store. Obviously it will be imported without private key because Certificate Import Wizard don't know anything about separate private key file. There are at least 3 tools that can join (or convert) these files to a single pkcs12/PFX file:
The following syntax is used for OpenSSL:
OpenSSL.exe pkcs12 –export –in certfile.cer –inkey certfile.key –out certfile.pfx
Also here is online (web-based) version of OpenSSL tool: https://www.sslshopper.com/ssl-converter.html
The following syntax is used for certutil:
certutil –MergePFX certfile.cer certfile.pfx
Since there is no way to specify private key file for –MergePFX parameter you must consider the following requirements:
The following syntax is used for pvk2pfx:
pvk2pfx –pvk certfile.pvk –spc certfile.cer –out certfile.pfx
And the last what I want to tell here. Unfortunately there are no universal tool for all cases. This really depends on an application that was used for key file generation. For example a key file created by OpenSSL is not compatible with certutil and pvk2pfx. A key created by makecert is compatible with pvk2pfx only and so on.
Post your comment: