I am trying to import a certificate into my "Local computer" account under "Personal" certificate store.
Though when running one of the below 2 commands, the certificate is imported into a new certificate store called also Personal.
First command:
Import-Certificate -FilePath "C:\Users\myUser\Desktop\LabCert.cer" -CertStoreLocation 'Cert:\LocalMachine\Personal' -Verbose
Second command:
CertUtil -v -addstore "Personal" "C:\Users\myUser\Desktop\LabCert.cer"
Can someone please advise how can I import my certificate into the original Personal store?
Thanks
Related
I am hosting two windows containers from a Windows 2019 servers and both are running in https. When my Web URL container tried to make a call to the API container. It didn't work and when I got inside the Web container and run the curl command to my API web site and I received the following error.
(77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
I am trying to find out how to import the root certificate to my aspnet:3.0 base image.
This is what I did to get certificates working in my docker container. I import the root certificate as well as the certificate for the application, so take the parts you need.
On your host put the certificates (pfx) into a directory and mount it within the container. I will assume you have mounted them on 'C:\certificates' in the container.
I pass the certificates as environmental variables so the script can pick them up.
Add this script to run when the container starts up:
Import-Module WebAdministration
$webCertificatePath = $ENV:WEB_CERTIFICATE_PATH
$webCertificatePassword = $ENV:WEB_CERTIFICATE_PASSWORD
$rootCertificatePaths = $ENV:ROOT_CERTIFICATE_PATHS
# I don't do anything with this... yet
$intermediateCertificatePaths = $ENV:INTERMEDIATE_CERTIFICATE_PATHS
# Import Root Certificate
# You can stop here if you only want the Root Certificate installed.
Import-Certificate -FilePath $rootCertificatePaths -CertStoreLocation 'Cert:\\LocalMachine\Root'
# Import website certificate
$mypwd = ConvertTo-SecureString -String $webCertificatePassword -Force -AsPlainText
$cert = Import-PfxCertificate -FilePath "$webCertificatePath" -Password $mypwd -CertStoreLocation 'Cert:\LocalMachine\My'
if (-not (Test-Path 'IIS:\SSLBindings\0.0.0.0!443')) {
$cert | New-Item 'IIS:\SSLBindings\0.0.0.0!443'
}
There are many ways to do this, but you get the idea.
How to extend the expiry date of windows app certificate? We're side loading the app/ The main obstacle is the certificate expires every year which is a bothersome to renew it through GP cause we already have issues in our environment. We would like to extend it for at least 5 years.
I have managed to find technet articles on how to create a code signing certificate but it didnt work. Visual studio doesnt accept the certificate and gives an error message that it is corrupted or invalid.
https://learn.microsoft.com/en-us/windows/uwp/packaging/create-certificate-package-signing#create-a-self-signed-certificate
https://technet.microsoft.com/itpro/powershell/windows/pki/new-selfsignedcertificate
Is there any way to do it easily?
You could do something like this, the subject must be same as UWP app's Publisher (package.appxmanifest):
New-SelfSignedCertificate -Type Custom -Subject "CN=Something" -TextExtension #("2.5.29.37={critical}{text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") -KeyUsage DigitalSignature -FriendlyName "Friendly Name" -CertStoreLocation "Cert:\LocalMachine\My" -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(5)
Now export to .pfx and add the thumbprint to the PackageCertificateThumbprint
The process is described in Microsoft documentation, but it is convoluted. There is no "visual" part as "Visual Studio" would suggest.
To sideload an application, it is sufficient to create a self-signed certificate, which means that you trust yourself. There is no trust from a CA (certification authority) involved.
These steps worked for me. The whole process being in PowerShell run as administrator.
Create the certificate
New-SelfSignedCertificate -Type Custom -Subject "CN=Company Name, O=Company Name Inc., C=CA" -KeyUsage DigitalSignature -FriendlyName "Programming certificate, 50 years" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(50)
The -Subject item may contain only the CN= part, I believe the other bits are optional. O= seems to refer to the organization and C= the country code.
The -CertStoreLocation and -TextExtension are correct as written (see the documentation). I am not too familiar with what -CertStoreLocation really means, as I was not able to find it later, but that is what Microsoft suggests and remains irrelevant to the process.
The (Get-Date) bits get the current date, and .AddYears(50) would be modified to how many years the certificate should last.
The output will display the thumbprint; copy it.
Export the certificate
Set a password variable (confusingly, the password here is written without quotes).
$password = ConvertTo-SecureString -String CustomPasswordYouWouldChoose -Force -AsPlainText
Export the certificate; paste the thumbprint in the "Cert:\CurrentUser\My..." string and choose a file path (in my case, using the C:\ drive worked fine).
Export-PfxCertificate -cert "Cert:\CurrentUser\My\YOURTHUMBPRINTHERE" -FilePath C:\ProgrammingCertificate.pfx -Password $password
Add the certificate in Visual Studio
Go to Package.appxmanifest > Packaging > Choose Certificate... > Select from file... > then select your exported certificate.
Install the certificate on sideload deployment
Double-click the certificate file > Install Certificate... > Local Machine > Place all certificates in the following store > Browse > Trusted People > accept all and the import should be successful. Congratulations, the application is now certified by yourself.
I'm trying to use SignTool.exe to code sign an executable with a certificate installed into the Windows certificate store. I'm able to get it to work by installing the cert into the Local Machine/Personal section and then running as an administrator, but I can't seem to work out the right place where the certificate needs to be installed to run as the current user.
I've installed the cert into Current User/Personal and when I do:
Get-ChildItem -Path Cert:\CurrentUser\My
the certificate is in the list. But when I try sign with:
& "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\signtool.exe"
sign /v /n "West Wind Technologies"
/s MY
/tr "http://timestamp.digicert.com" /td SHA256 /fd SHA256
".\Builds\CurrentRelease\MarkdownMonsterSetup.exe"
running as a non-admin user it doesn't work. I get:
SignTool Error: No certificates were found that met all the given criteria.
If I add the /sm flag and run run as an administrator and have it in the personal store - it works.
Where do I have to put the certificate in the cert store to get it to run without administrator rights?
For the current user you can use Certmgr to import it to the Personal folder.
I use the signtool /n option.
A bit more difficult is when you use signtool in a automated environment as (if your security is setup correctly) the build agent is running under limited service account. An option could be to use a file then.
I want to import a pfx using cmd. I am using certutils for that. But I am getting a prompt asking to trust the certificate. I want to automatize import so I want to skip the warning prompt. How can I accomplish that?
I am using command
certutil -f -user -p PASSWORD -importpfx c:\cert.pfx
The reason you got a prompt dialog is that you are trying to add a "CA certificate" into the "Trusted Root Certification Authorities" store. In fact, when you use "certutil -f -user -p PASSWORD -importpfx c:\cert.pfx" to import a PFX certificate, two actions happen:
Add a personal certificate(which includes the private key) into the "Personal" store.
Add a CA certificate into the "Trusted Root Certification Authorities" store.
It is the second action that cause the UAC to prompt a warning dialog, since you are trying to add one CA certificate into the "Trusted Root Certification Authorities" store and this means that any web host that holds this certicate will be trusted in the future, this is a very important action and should be treated very discreetly by the user, shouldn't it? So the UAC will warn the user to comfirm this action.
There is only one way to suppress the warning dialog, that is "you don't add the CA certificate into the "Trusted Root Certification Authorities" store by doing so:
certutil -f -user -p PASSWORD -importpfx c:\cert.pfx NoRoot
Add personal certificate into "Personal" store will not prompt any warning dialog. However, by this way, the web host that holds the CA certificate will not be trusted any more and this can be very frustrating if you use HTTPS to access the web host.
I'm trying to automate the weekly download of a text file from an https site with a ps1 script. My simple attempts to connect look like this -
Start-BitsTransfer `
-source https://url.com/file `
-destination d:\test.txt
I get the error "The certificate authority is invalid or incorrect". Is there a way to override this CA check?
This Powershell (3.0) script is running on Windows Server 2008R2 and the https://url.com/ SSL cert is issued by Entrust CA. I've tried to add Entrust as a "Trusted Root Certificate Authority" to the "Certificate Store" through IE8. No joy.
This really racked my brain for quite some time. I finally figured out you need to enter the number in decimal not in binary or hex.
C:>bitsadmin /SetSecurityFlags myJob 8
The 8 will make the "Ignore invalid certificate authority in server certificate :true"
http://technet.microsoft.com/en-us/library/cc753211(v=ws.10).aspx
C:\>bitsadmin /SetSecurityFlags myJob 0x011110
I believe I needed to update my Root CA list on the server with a MS Security Update.
And bitstransfer can not override a CA check.