When using powershell to investigate the Certificate Provider i noticed that all the paths seem similar but not the same as the folder structure within certmgr. It seems pretty clear that:
Certs:\LocalMachine ~= Certificates (Local Computer)
Certs:\CurrentUser ~= Certificates - Current User
I'm also guessing that:
Root ~= Trusted Root Certification Authority
My ~= Personal
WebHosting ~= WebHosting
...
But i have been unable to find any sort of official reference (or even sensible explanation) to give me the warm fuzzy I'm looking for...
My intent is to test an https WCF service locally (both server and client side). I can easily generate the self signed certificate needed by the server using New-SelfSignedCertificate. However, if I try to point my client (also .NET) at the service it fails to connect given that the service serves up a non-trusted certificate.
I have found various out-dated references (like this one), showing how I could use a combination of makecert (now deprecated), and certmgr to generate a certificate authority, then use it to sign the cert for my https service, then install the certificate authority cert into Trusted Root Certification Authority container to get everything working. While this approach would likely work, it is certainly not developer/automation friendly.
That said, I was able to use powershell to do this:
$my_cert_store_location = "Cert:\LocalMachine\My"
$root_cert_store_location = "Cert:\LocalMachine\Root"
$root_friendly_name = "Test Root Authority"
$root_cert_subject = "CN=$($root_friendly_name)"
# The ip and port you want to reserve for your app
$ipport = "127.0.0.11:8734"
# Your app guid (found in ApplicationInfo.cs)
$appid = "{f77c65bd-d592-4a7b-ae32-cab24130fdf6}"
# Your dns name
$dns_name = "my-machine-local"
$rebuild_root_cert = $false
$root_cert = Get-ChildItem $my_cert_store_location |
Where-Object {$_.SubjectName.Name.Equals($root_cert_subject)}
if ($root_cert -and $rebuild_root_cert)
{
Get-ChildItem $root_cert_store_location |
Where-Object {$_.SubjectName.Name.Equals($root_cert_subject)} |
Remove-Item
Remove-Item $root_cert
$root_cert = $false
}
if (-not $root_cert)
{
$root_cert = New-SelfSignedCertificate `
-Type Custom `
-FriendlyName $root_friendly_name `
-HashAlgorithm sha384 `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-Subject $root_cert_subject `
-KeyUsage DigitalSignature, CertSign `
-NotAfter (Get-Date).AddYears(20) `
-CertStoreLocation $my_cert_store_location
Write-Output "Created root cert: $($root_cert.Thumbprint)"
$exported_cert = New-TemporaryFile
Export-Certificate -Cert $root_cert -FilePath $exported_cert.FullName
$imported_root_cert = Import-Certificate -FilePath $exported_cert.FullName `
-CertStoreLocation $root_cert_store_location
Write-Output "Imported root cert to: $($root_cert_store_location)\$($imported_root_cert.Thumbprint)"
}
Write-Output "Root cert is: $($root_cert.Thumbprint)"
$test_signed_cert_subject = "CN=$($dns_name)"
$test_signed_cert = Get-ChildItem $my_cert_store_location |
Where-Object {$_.SubjectName.Name.Equals($test_signed_cert_subject)}
if (-not $test_signed_cert)
{
$test_signed_cert = New-SelfSignedCertificate `
-Type Custom `
-Subject $test_signed_cert_subject `
-FriendlyName $dns_name `
-Signer $root_cert `
-CertStoreLocation $my_cert_store_location
Write-Output "Created signed cert: $($test_signed_cert.Thumbprint)"
}
Write-Output "Signed cert is: $($test_signed_cert.Thumbprint)"
if ($test_signed_cert)
{
netsh http delete sslcert `
ipport="$($ipport)"
netsh http add sslcert `
ipport="$($ipport)" `
appid="$($appid)" `
certstorename="My" `
certhash="$($test_signed_cert.Thumbprint)"
Write-Output "Assigned signed cert to: $($ipport)"
}
But the question still stands... Is there any information about how the certificate provider paths map to certmgr folders?
Here is the mapping between containers (in parentheses) and their description:
Personal (My) — This container is used to store certificates with private keys. When a certificate private key is used, the application looks to this container to find the appropriate certificate and associated private key.
Trusted Root Certification Authorities (ROOT) — This container contains trusted, self-signed certificates without private keys. Each certificate chain must chain up to a certificate presented in self-signed form. This self-signed certificate is the ‘root certificate’ or ‘trusted anchor.’ However, not all root certificates can be considered as trusted. You should carefully choose which new certificates you will consider as trusted.
Enterprise Trust (trust) — This container is used to store Certificate Trust Lists (CTL). For example, the Key Management Server adds its certificate to this container.
Intermediate Certification Authorities (CA) — This container keeps many different types of CA certificates. These certificates are usually used by the certificate chaining engine to build certificate chains.
Trusted Publishers (TrustedPublisher) — This container keeps explicitly trusted signing certificates. While the digital signature certificate chains up to the trusted root certification authority, many applications (such Microsoft Office and Windows PowerShell) are required to store a particular signing certificate in this container in order to trust signatures from that particular signer. This means that a digital signature-aware application can trust one signing certificate but not trust another signing certificate even if both certificates are issued by the same certification authority.
Untrusted Certificates (Disallowed) — This container keeps explicitly untrusted certificates. If you decide to not trust either a particular certificate or all certificates issued by a particular certification authority, just add these certificates to this container. By default, this container already contains two certificates. It is strongly recommended to NOT REMOVE them from the container. For additional info read the following article: http://support.microsoft.com/kb/293817.
Third-Party Root Certification Authorities (AuthRoot) — This certificate container is similar to the Trusted Root Certification Authorities. It keeps the certificates from the Microsoft Root Certificate Program. For more information about the Microsoft Root Certificate program, read the following article: http://support.microsoft.com/kb/931125.
Trusted People (TrustedPeople) — This container keeps certificates issued to people or end entities that are explicitly trusted. Most often, these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook. To share an EFS–encrypted file with other parties, you must have their certificate in this store.
Certificate Enrollment Requests (REQUEST) — This container stores certificate enrollment requests until these requests are submitted to the certification authority. When a certification authority issues a certificate in response to a request, you need to install the certificate to this container using a special utility, such CertReq.exe. After that, the certificate enrollment request is transferred to the Personal (My) container as a certificate.
Smart Card Trusted Roots (SmartCardRoot) — This container is used to store trusted smart card certificates.
Other People (AddressBook) — This container maintains certificates that have been added to an Outlook contact.
Active Directory User Object (UserdDS) — This container is used to store certificates associated with a user object and published in Active Directory. The content of this container is equal to the certificates that are shown in the advanced view of the Active Directory Users and Computers console when the properties of a user object are viewed.
Related
I am testing a NPS server in Windows Server 2022, with PEAP (with certificates), the setup is:
Windows Server 2022 --> AD DS (test.lab), AD CS, NPS
Windows 10 --> Joined to domain
Certs in Windows Server 2022:
certs
NPS configuration:
nps_eap
Result:
test_connection
The connection is succesfull, but now, I am trying to revoke the certificate for reject the connection but I dont know how are following steps... I have tried to revoke the certificate with Certificate Authority, but doesn't work
To enable revocation check, please try the following:
Administrators must enable the RootCertificateNameToAccept parameter and set a registry key to enable functionality.
To enable CRL (Certification revocation List) for IKEv2 VPN connections,
Open a PowerShell window and below commands:
_$Thumbprint = ‘Root CA Certificate Thumbprint’_
_$RootCACert = (Get-ChildItem -Path cert:\LocalMachine\root | Where-Object {$_.Thumbprint -eq $Thumbprint})_
_Set-VpnAuthProtocol -RootCertificateNameToAccept $RootCACert -PassThru_
_New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\Ikev2\’ -Name CertAuthFlags -PropertyTYpe DWORD -Value ‘4’ -Force_
_Restart-Service RemoteAccess -PassThru_
Revoking certificates
The administrator must first revoke the certificate on the issuing CA.
Open a elevated command window and enter the below commands:
_certutil -urlcache * delete_
_certutil -setreg chain\ChainCacheResyncFiletime #now_
If the above solution doesn't work, please try the following steps:
Click start -> Administrative Tools -> Click Certification Authority -> Expand your CA -> Click the Issued Certificates folder -> Select issues certificates -> Click All Tasks -> click Revoke Certificate -> In the Certificate Revocation dialog box -> select Cease of Operation -> click OK
References :
certificate revocation | Richard M. Hicks Consulting, Inc. (richardhicks.com).
How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com).
How to extend the expiry date of windows app certificate? We're side loading the app/ The main obstacle is the certificate expires every year which is a bothersome to renew it through GP cause we already have issues in our environment. We would like to extend it for at least 5 years.
I have managed to find technet articles on how to create a code signing certificate but it didnt work. Visual studio doesnt accept the certificate and gives an error message that it is corrupted or invalid.
https://learn.microsoft.com/en-us/windows/uwp/packaging/create-certificate-package-signing#create-a-self-signed-certificate
https://technet.microsoft.com/itpro/powershell/windows/pki/new-selfsignedcertificate
Is there any way to do it easily?
You could do something like this, the subject must be same as UWP app's Publisher (package.appxmanifest):
New-SelfSignedCertificate -Type Custom -Subject "CN=Something" -TextExtension #("2.5.29.37={critical}{text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") -KeyUsage DigitalSignature -FriendlyName "Friendly Name" -CertStoreLocation "Cert:\LocalMachine\My" -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(5)
Now export to .pfx and add the thumbprint to the PackageCertificateThumbprint
The process is described in Microsoft documentation, but it is convoluted. There is no "visual" part as "Visual Studio" would suggest.
To sideload an application, it is sufficient to create a self-signed certificate, which means that you trust yourself. There is no trust from a CA (certification authority) involved.
These steps worked for me. The whole process being in PowerShell run as administrator.
Create the certificate
New-SelfSignedCertificate -Type Custom -Subject "CN=Company Name, O=Company Name Inc., C=CA" -KeyUsage DigitalSignature -FriendlyName "Programming certificate, 50 years" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(50)
The -Subject item may contain only the CN= part, I believe the other bits are optional. O= seems to refer to the organization and C= the country code.
The -CertStoreLocation and -TextExtension are correct as written (see the documentation). I am not too familiar with what -CertStoreLocation really means, as I was not able to find it later, but that is what Microsoft suggests and remains irrelevant to the process.
The (Get-Date) bits get the current date, and .AddYears(50) would be modified to how many years the certificate should last.
The output will display the thumbprint; copy it.
Export the certificate
Set a password variable (confusingly, the password here is written without quotes).
$password = ConvertTo-SecureString -String CustomPasswordYouWouldChoose -Force -AsPlainText
Export the certificate; paste the thumbprint in the "Cert:\CurrentUser\My..." string and choose a file path (in my case, using the C:\ drive worked fine).
Export-PfxCertificate -cert "Cert:\CurrentUser\My\YOURTHUMBPRINTHERE" -FilePath C:\ProgrammingCertificate.pfx -Password $password
Add the certificate in Visual Studio
Go to Package.appxmanifest > Packaging > Choose Certificate... > Select from file... > then select your exported certificate.
Install the certificate on sideload deployment
Double-click the certificate file > Install Certificate... > Local Machine > Place all certificates in the following store > Browse > Trusted People > accept all and the import should be successful. Congratulations, the application is now certified by yourself.
I want to import a pfx using cmd. I am using certutils for that. But I am getting a prompt asking to trust the certificate. I want to automatize import so I want to skip the warning prompt. How can I accomplish that?
I am using command
certutil -f -user -p PASSWORD -importpfx c:\cert.pfx
The reason you got a prompt dialog is that you are trying to add a "CA certificate" into the "Trusted Root Certification Authorities" store. In fact, when you use "certutil -f -user -p PASSWORD -importpfx c:\cert.pfx" to import a PFX certificate, two actions happen:
Add a personal certificate(which includes the private key) into the "Personal" store.
Add a CA certificate into the "Trusted Root Certification Authorities" store.
It is the second action that cause the UAC to prompt a warning dialog, since you are trying to add one CA certificate into the "Trusted Root Certification Authorities" store and this means that any web host that holds this certicate will be trusted in the future, this is a very important action and should be treated very discreetly by the user, shouldn't it? So the UAC will warn the user to comfirm this action.
There is only one way to suppress the warning dialog, that is "you don't add the CA certificate into the "Trusted Root Certification Authorities" store by doing so:
certutil -f -user -p PASSWORD -importpfx c:\cert.pfx NoRoot
Add personal certificate into "Personal" store will not prompt any warning dialog. However, by this way, the web host that holds the CA certificate will not be trusted any more and this can be very frustrating if you use HTTPS to access the web host.
I'm trying to automate the weekly download of a text file from an https site with a ps1 script. My simple attempts to connect look like this -
Start-BitsTransfer `
-source https://url.com/file `
-destination d:\test.txt
I get the error "The certificate authority is invalid or incorrect". Is there a way to override this CA check?
This Powershell (3.0) script is running on Windows Server 2008R2 and the https://url.com/ SSL cert is issued by Entrust CA. I've tried to add Entrust as a "Trusted Root Certificate Authority" to the "Certificate Store" through IE8. No joy.
This really racked my brain for quite some time. I finally figured out you need to enter the number in decimal not in binary or hex.
C:>bitsadmin /SetSecurityFlags myJob 8
The 8 will make the "Ignore invalid certificate authority in server certificate :true"
http://technet.microsoft.com/en-us/library/cc753211(v=ws.10).aspx
C:\>bitsadmin /SetSecurityFlags myJob 0x011110
I believe I needed to update my Root CA list on the server with a MS Security Update.
And bitstransfer can not override a CA check.
I have a c# program and part of it creates a self-signed certificate.
The problem is when i try to import the certificate in MMC it says "This certificate has an invalid digital signature."
And when i try to add this certificate through command prompt using netsh http add it says:
SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
I've tried all suggestions from other questions similar to this but to no luck.
I've also tried downloading Hotfix from Microsoft but it didnt work.
By the way, my machine is running in Windows7-64bit.
I ran into an answer here The basic issue is that DC authority cert creators get sloppy and create multiple certs for the same DC cert authority. I had my self-signed cert created using latest and grates DC cert authority certificate. I had to export and install both root cert and a self signed cert on my destination machine for it to recognize self signed cert used on the server. But the root cert I exported was a cert with the same name but different dates. Once I located the proper root cert and installed it on my destination computer everything worked flawlessly.
In my case it was due to an old self signed certificate with a small key length.
I found the solution here - https://security.stackexchange.com/a/82606/26742 to reduce the security (only in my dev environment)
certutil -setreg chain\minRSAPubKeyBitLength 512