I need to script the export of a cert from our Windows store into Firefox. I am having trouble getting the cert into the correct "container". The certificate, as generated from a command line as well, is a .pfx file with a password. I can manually import the cert into Firefox under the "Your Certificates" tab of the Certificate Manager. However, when I run the command line, it dumps the cert under the tab labeled "Others" and the website we're trying to access either can't find the cert there or there's a problem with the import itself.
My first couple of attempts failed with errors, but following up on them I found a site that suggested I convert the .pfx file to a .pem file. I followed those instructions and the command line now runs without error. The other thing to note here is using the GUI, I cannot import the .PEM file, but I can import the .PFX file.
Assuming that the .pem file is encoded and formatted correctly, how can I get this line of code to put the cert into the right container?
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -a -f pword.txt -i CertEric.pem
(I added the '-f' argument in case its needed to import the password protected file. I've run this both with and without it and got the same results.)
I also exported the cert in a .cer format.
Here are some other attempts and results:
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -a -f pword.txt -i CertEric.pfx
certutil: could not obtain certificate from file: security library: improperly formatted DER-encoded message.
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -a -f pword.txt -i CertEric.cer
certutil: could not obtain certificate from file: security library: improperly formatted DER-encoded message.
(Although, dropping the '-a' argument allowed this command to complete without error.)
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -f pword.txt -i CertEric.pfx
certutil: could not obtain certificate from file: security library: invalid arguments.
(This one uses the .pfx file and drops the '-a' argument)
Any ideas? Thanks for your time.
Eric
I just posted a solution to StackOverflow that you might find helpful.
Our certificates are in .cer format and work fine
Programmatically Install Certificate into Mozilla
Related
I have generated a certificate in pfx format in Mac os X and imported it into system keychain using:
sudo security import server.pfx -k /Library/Keychains/System.keychain -P foobar
The problem is that all trusts are set to no value specified.
How can I set trust for code signing to Always trust using command line.
Here's what worked for me, it's very close to that traveling beard's answer. I'm using trustAsRoot instead of trustRoot.
With this change, in the Keychain Viewer, my cert now has "Always Trust" set. When I used trustRoot, the cert is added but with "Use System Default" set and the system default is to Never Trust.
sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain <certfile>
NOTE: The sudo will prompt for a password on the commandline and the gui will also prompt.
Nice, now I can import a dev cert on the command line with only a sudo passwd and not have to open that GUI!!
The -p option may be what you need. It can be specified more than once for each of the settings. I wish I knew how to deny one specific item while trusting another all in the same line.
sudo security add-trusted-cert -d -r trustRoot -p [option] -k /Library/Keychains/System.keychain <certificate>
-p options are ssl, smime, codeSign, IPSec, iChat, basic, swUpdate, pkgSign, pkinitClient, pkinitServer, timestamping, eap
after downloading firefox sign packages from Mozilla web site. i'm using this link to SIGN extensions.
after set path i'm trying to use this command:
certutil -N -d .
to create a test certificate, but i get this error:
C:\Firefoxdevelopment>certutil -N -d .
CertUtil: Unknown arg: -N
CertUtil -? -- Display a verb list (command list
CertUtil -dump -? -- Display help text for the "dump"
CertUtil -v -? -- Display all help text for all ver
after that i'm try to use below code:
signtool -G myTestCert -d . -p"password"
i get this alert error dialog
Your path is executing the microsoft version of certutil
C:\Windows\System32\certutil.exe
you need nss and nspr which includes the correct version of certutil and signtool.
I have a powershell script that I want to run on 2 different stand-alone machines. On Windows 8.1 with the SDK installed, I issue the command:
makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser ^
-a sha1 -sky signature -cy authority -sv CA.pvk CA.cer
and I get back:
Error: Can't access the key of the subject ('CA.pvk')
Failed
CA.pvk gets created, but not CA.cer
Any ideas?
Thanks in advance, Geoff
Several confusing and unhelpful password prompts should pop up after running this command.
I got the same error message when I entered a different password in the second prompt to the one had I entered in the first.
Entering the same password in both the first and second
pop-up screens got me past this.
I want to create a client certificate and I am running below command in Visual Studio Command prompt.
The below command runs successfully but I don't know the certificate location.
where it get stores ?
makecert -r -pe -n "CN=XYZ Company" -b 01/01/2013 -e 01/01/2014 -sky exchange -ss my
using the parameter -ss my you are explicitly stating that the cert should be saved into your personal certificate storage for your Windows account.
Open certmgr.msc (via execute on start menu) and look into your certificate store.
Dear ladies and sirs.
Observe this simple batch file:
makecert -n "CN=MyCA" -sr localmachine -ss root -a sha1 -cy authority -r -sv MyCA.pvk MyCA.cer
del MyCA.pvk
del MyCA.cer
makecert -n "CN=il-mark-lt" -sr localmachine -ss my -cy end -pe -sky exchange -a sha1 -is root -ir localmachine -in MyCA
However, the last makecert fails with the following error message:
Error: Fail to acquire a security provider from the issuer's certificate
How do I troubleshoot it? Any ideas? BTW, the first makecert succeeds. Of course, I delete it again, before running the commands again.
Thanks.
EDIT1
I understood the reasons for the failure. The second command expects the file MyCA.pvk to exist, but I do not want to keep it around. So, what can I do?
Just leave out the -sv MyCA.pvk part. It should still generate a private key and store it normally and not as a pvk file and it should be found by makecert ... -in MyCA.1
I was getting this error because I didn't start the command line with Admin privileges.
I guess the error is something of a misnomer in this case.
The problem is the first command, you are creating a self signed certificate and adding it to the Trusted Root store of the Local Machine account (but you probably know that). But you're also creating files for the public and private keys for the certificate, the .pvk and .cer files.
The second command is creating another certificate, this time not a self signed one but signed by the first certificate. In order to sign a certificate you need both the public and the private key of the issuer (CN=MyCA), you are instructing makecert to look for the issuer public key in the Local Machine Trusted Root Certificate store, that's fine, but you don't have the private key anymore, since MyCA.pvk was deleted.
If you don't specify file names for the private and public keys on the first command, i.e. do not include the -sv MyCA.pvk parameter and MyCA.cer, both the public and private keys will be added to the store. That means there will be no need to delete files because they won't be generated.
Also, if you open a management console, press [WIN]+[R] type mmc [Return], go to File -> Add/Remove Snap in -> Select "Certificates" -> "Add" -> "Computer Account" and then navigate the tree to Trusted Root Certificates\Certificates you will find MyCA in the left pane. You'll notice a small key on the icon and if you double click the certificate a message at the bottom of the General tab properties will state "You have a private key that corresponds to this certificate". That means you can use that certificate to sign a new one, like you're trying to do in with the second command.