I have one WinServer 2008 Domain controller and a CA server on it.
I log in with the Administrator account and want to request a certificate "on behalf" of a user of my DC.
for doing that, at first I duplicated these certificate templates:
smart login
smart user
enrolment agent
I changed configuration and permission for new templates so that Administrator account can read, write and enrol for these templates.
After creating these new templates and assigning permissions and configuration, from mmc and certificate snap-in, for user account certificates, and for "Personal" section, we requested a new certificate for Administrator account to make it an enrollment agent as shown below:
then it is generated with no problem and we want to request a certificate on behalf of a user with this new certificate. But, in "Select enrolment agent certificate" and when we click on "Browse" button, we have a problem because there is no certificate to select, as shown below:
there is no certificate available to choose
I read a lot of documents online but I did not find the reason to solve this problem!
You need an enrollment agent certificate in the local user store (certmgr.msc)/machine store (certlm.msc) to request on behalf of. This is done by setting the signature count on the template.
If the signature count is not 0 you cannot enroll - because you first need an enrollment agent certificate...
Set the signature count on the enrollment agent certificate template to 0.
Enroll an enrollment agent certificate - dialog will not pop up
Set the signature count on another certificate template to 1.
Enroll a certificate based on the template in step 3. Dialog will pop up. Select certificate enrolled in step 2. Done
I have same problem too (cannot choose existing enrollment cert).
The solution (maybe):
Check the access to published crl and/or refresh the crl cache on your enrollment workstation.
From elevated command line:
Delete the old cache: certutil -urlcache crl delete
Resync the crl cache: certutil -setreg chain\ChainCacheResyncFiletime #now
Related
I am trying to recreate a Developer ID Application certificate, so I can sign my application. I had an existing certificate, but it's about to expire, so I am trying to regenerate a new one.
However, when I download a newly generated certificate from developer.apple.com, the imported certificate has no key as its child node in Keychain Access. The old certificate had this. When I attempt to use the certificate for code signing I receive something like:
/tmp/myapp.app/Contents/app/bin/myapp.exe: errSecInternalComponent
I am following the instructions to obtain a signed certificate using Certificate Assistant:
Ensuring nothing is selected in Keychain Access, click Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
I enter my email, accept the default Common Name and click Saved to disk.
In developer.apple.com I click the "+" to Create a New Certificate
I choose Developer ID Application
I upload the CSR I saved above
I download the .cer file that is generated
I open the .cer file. This adds the certificate.
As you can see, the certificate does not have a private key inside it, like the old one:
Unfortunately I don't have the old certificate now having deleted it in a fit of pique but it looked like this:
... although in my case it had my private key.
I've noticed reference to the claim that creating a CSR also creates a public/private key pair, but I cannot see these anywhere in Keychain Access.
Later, I did manage to import the certificate and it show the private key. I think this was when I imported it into the same keychain as that which contains a private key "Dan Gravell" - login. However, I have since tried replicating that and now the certificate is being imported without a key again.
Xcode appearance
I've discovered there's a little more information in Xcode. The certificate shows "Missing Private Key" next to it:
When I look this error up, the suggestions seem to be that the certificate has been given to a developer by some third party that didn't include the private key. However, in my case I am that third party who has created the CSR and received the certificate originally and I thought I had the private key, otherwise I wouldn't have been able to create the CSR in the first place. All these items appear to be in my keychain.
I (eventually) got a reply from Developer Program Support. They issued a new certificate which I installed via XCode this time. I documented my other steps here: https://stackoverflow.com/a/74210449/28190
The Apple Push Services certifcate is about to expire in a few days.
To renew the certificate a new certificate has to be requested, and then the current certificate can be rewoked (or left to expire..). The new certificate then has to be uploaded to the service used to handle the notifications (in my case Firebase Messaging).
I have a hard time wrapping my head around who can update the certificates, without breaking the push-notifications and causing the app to be updated.
Does the new certificate has to be requested by the same APPLE-ID as the current? Or can anyone else of the mantainers with role "Admin" or "App Manager" (https://appstoreconnect.apple.com/access/users) update it with their account?
The .CSR file from Apple Keychain can be created by any APPLE-ID, or only by the APPLE-ID who created the original? Do I need the original .CSR from the current certificate?
The Apple ID of the requester does not really matter. As long as they belong to the same team on App Store Connect and have the necessary rights, they can do that. The fastest way is probably using a tool like https://docs.fastlane.tools/actions/pem/ or kind of the "web version" of that https://onesignal.com/provisionator
I want to retrieve the private key of a user certificate under Windows.
I use the CertOpenSystemStore and CertEnumCertificatesInStore methods to retrieve the user certificate.
Then the CryptAcquireCertificatePrivateKey method to retrieve the private key but there is a problem with the access rights.
Is this the right way to proceed?
The Certificate of a User Account is not stored in the 'Computer Store', if you need permissions on a key stored in the Computer store, you need to:
run certlm.msc
navigate to the certificate
right click > 'all Tasks' > 'Manage Private Keys ...'
set your desired permissions
If the certificate is in a user store, you must impersonate that user and access its personal store. In this case, you can export the key if the key is marked as exportable.
If the key is generated by a PKI, there is also the possibility that the key is available at the PKI but this depends strong on the configuration of the PKI
I have 2 code signing certificates, for both CSR is created same way, also import and export is done same way. The only difference that I see is that one of certificates Common name contains Quotes, and the other doesn't.
e.g.
some cert and
some "cert"
CSR creation
Request format PKCS #10
disabled "Strong private key encryption"
Entered Common name, Organization, Locality, State, Country
2048 bytes for private key
set private key exportable
Import
place all certificates in Personal store
Export
Include all certificates if possible
Enable certificate privacy
encryption algorithm TripleDES-SHA1
Misleading thing is that this Common name value is NOT taken from the value I entered when I created CSR request
I am using those certificates to sign Winforms applications in Visual Studio. Certificate without Quotes in common name is working correctly (i.e. when I install application user is not getting security warning about unknown publisher), but when I install application which is signed with the other Code signing certificate (with Quotes in Common name) - it does not recognize Publisher. No error when published my application. When I take a look at setup.exe properties in Windows Explorer I see a Digital signatures tab which contains row for my certificate.
I tried to sign files with signtool and then verify - it said that certificate is valid.
I tried to get help from godaddy.com where I bought my certificate, they said that it should work with quotes, too, but didn't offer help to solve the issue. Rekey also didn't help.
I see that there are some suggestions to use Pre Publish, Post Build tasks, but I am not using those for my first certificate which is working.
So, is anyone here using code signing certificate for Winforms application with common name having quotes in it? Or maybe anyone knows about this problem and how to solve it?
Had to revoke (common name which is entered when creating CSR is not taken into account, so rekeying is not enough!) my code signing certificate and create from start without quotes/brackets in company name.
So this means, you will have to wait again for few days, because verification process is made from start again. When you will be contacted by issuer, they will verify / ask you about company name - make sure that they do not include quotes/brackets.
Revoking means that you will basically have to buy your certificate once more, because after you revoke it (at least in godaddy case) in your account you don't have options to create it again. So, you have to contact support (use call center and not chat ;)
I accidentally deleted the private and public key pair of my certificate, but I can't find anything helpful to undo or add those to my certificate again.
Actually the developement certificate has expired, so i redownloaded the new one.
Than I wanted to add the private/public key to my new certificate. And there it happend, i deleted it.
How can I get these and set them to my actual certificate again.
I had this issue two days ago.
Open Keychain Access
What you have to do is make backups of all your certificates and then go and delete all the private and public keys and certificates on your machine relevant to apple.
Then in Keychain Access click on Keychain Access(Menu Bar) and in the menu select Certificate Assistant -> Request a certificate from a certificate authority.
Enter your details and make sure Saved to disk and Let me specify key chain pair is selected.
Save it.
On the next screen: These values must be:
Key Size: 2048 bits
Algorithm: RSA
You then need to log into the Provisioning Portal on apple's website and revoke all certificates there.
Then click distribution and say Add Certificate and select the file you created earlier.
You can then request all certificates again. Re-download all certificates, once you start opening the downloaded certificates your new key pair and certificate will be in Keychain Access.
If you have any questions check out http://developer.apple.com/ios/manage/distribution/index.action