I want to create a client certificate and I am running below command in Visual Studio Command prompt.
The below command runs successfully but I don't know the certificate location.
where it get stores ?
makecert -r -pe -n "CN=XYZ Company" -b 01/01/2013 -e 01/01/2014 -sky exchange -ss my
using the parameter -ss my you are explicitly stating that the cert should be saved into your personal certificate storage for your Windows account.
Open certmgr.msc (via execute on start menu) and look into your certificate store.
Related
I need to start "certmgr.msc" from "cmd.exe" on "localMachine" repository so that I can import\export certificates.
I have tried the following commands but the "certmgr.msc" keeps opening on "currentUser".
certmgr.msc -s -r localMachine root
mmc.exe certmgr.msc -s -r localMachine root
certmgr.msc -v -s -r localMachine my
This should do it
"C:\WINDOWS\SYSTEM32\MMC.EXE" "C:\WINDOWS\SYSTEM32\CERTLM.MSC"
Create custom console by adding Certificate snapin and targeting it to local computer. Then save this console to .mmc file.
You can refer this saved file in command line. Can also distribute this custom console to other machines.
Below should start MMC console with both nodes CurrentUser & Local Computer
certificates.msc
mmc.exe certlm.msc -s -r localMachine root
It should work - Tested on win2012r2
I need to script the export of a cert from our Windows store into Firefox. I am having trouble getting the cert into the correct "container". The certificate, as generated from a command line as well, is a .pfx file with a password. I can manually import the cert into Firefox under the "Your Certificates" tab of the Certificate Manager. However, when I run the command line, it dumps the cert under the tab labeled "Others" and the website we're trying to access either can't find the cert there or there's a problem with the import itself.
My first couple of attempts failed with errors, but following up on them I found a site that suggested I convert the .pfx file to a .pem file. I followed those instructions and the command line now runs without error. The other thing to note here is using the GUI, I cannot import the .PEM file, but I can import the .PFX file.
Assuming that the .pem file is encoded and formatted correctly, how can I get this line of code to put the cert into the right container?
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -a -f pword.txt -i CertEric.pem
(I added the '-f' argument in case its needed to import the password protected file. I've run this both with and without it and got the same results.)
I also exported the cert in a .cer format.
Here are some other attempts and results:
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -a -f pword.txt -i CertEric.pfx
certutil: could not obtain certificate from file: security library: improperly formatted DER-encoded message.
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -a -f pword.txt -i CertEric.cer
certutil: could not obtain certificate from file: security library: improperly formatted DER-encoded message.
(Although, dropping the '-a' argument allowed this command to complete without error.)
certutil -A -n "My Certificate" -d c:\temp\CertImport -t "CTu,," -u "c" -f pword.txt -i CertEric.pfx
certutil: could not obtain certificate from file: security library: invalid arguments.
(This one uses the .pfx file and drops the '-a' argument)
Any ideas? Thanks for your time.
Eric
I just posted a solution to StackOverflow that you might find helpful.
Our certificates are in .cer format and work fine
Programmatically Install Certificate into Mozilla
I have a powershell script that I want to run on 2 different stand-alone machines. On Windows 8.1 with the SDK installed, I issue the command:
makecert -r -pe -n "CN=My Root Authority" -ss CA -sr CurrentUser ^
-a sha1 -sky signature -cy authority -sv CA.pvk CA.cer
and I get back:
Error: Can't access the key of the subject ('CA.pvk')
Failed
CA.pvk gets created, but not CA.cer
Any ideas?
Thanks in advance, Geoff
Several confusing and unhelpful password prompts should pop up after running this command.
I got the same error message when I entered a different password in the second prompt to the one had I entered in the first.
Entering the same password in both the first and second
pop-up screens got me past this.
I'm trying to use a windows XP batch file to automate importing .p12 certificates into what the MMC "Certificates" snap-in calls
Certificates (Local Computer) \Personal\Certificates
certmgr.msc might be the right tool for this purpose, but I have tried
a:\certmgr.msc /add /c /s /r localMachine a:\<certname>.p12
importpfx -f a:\certs\<certname>.* -p <cert pw> -t MACHINE -s My
And a few others without success. Usually, the MMC just opens with the certificates snap in. I've not seen any certs actually moved or imported anywhere as a result.
I've also tried the cert path\name without the environmental variable and wild card, but the certs I get may or may not simply be the workstation name.p12..
Any suggestions?
-Clay
The below code worked for me on Windows 8 and Windows Server 2012 R2.
I used the below command in my batch file:
certutil -f -sid 22 -p [Password1] -importpfx "My" "%~dp0\whatever.pfx" NoRoot
-sid WELL_KNOWN_SID_TYPE -- Numeric SID
22 -- "Local System", 23 -- "Network Service", 24 -- "Local Service"
Dear ladies and sirs.
Observe this simple batch file:
makecert -n "CN=MyCA" -sr localmachine -ss root -a sha1 -cy authority -r -sv MyCA.pvk MyCA.cer
del MyCA.pvk
del MyCA.cer
makecert -n "CN=il-mark-lt" -sr localmachine -ss my -cy end -pe -sky exchange -a sha1 -is root -ir localmachine -in MyCA
However, the last makecert fails with the following error message:
Error: Fail to acquire a security provider from the issuer's certificate
How do I troubleshoot it? Any ideas? BTW, the first makecert succeeds. Of course, I delete it again, before running the commands again.
Thanks.
EDIT1
I understood the reasons for the failure. The second command expects the file MyCA.pvk to exist, but I do not want to keep it around. So, what can I do?
Just leave out the -sv MyCA.pvk part. It should still generate a private key and store it normally and not as a pvk file and it should be found by makecert ... -in MyCA.1
I was getting this error because I didn't start the command line with Admin privileges.
I guess the error is something of a misnomer in this case.
The problem is the first command, you are creating a self signed certificate and adding it to the Trusted Root store of the Local Machine account (but you probably know that). But you're also creating files for the public and private keys for the certificate, the .pvk and .cer files.
The second command is creating another certificate, this time not a self signed one but signed by the first certificate. In order to sign a certificate you need both the public and the private key of the issuer (CN=MyCA), you are instructing makecert to look for the issuer public key in the Local Machine Trusted Root Certificate store, that's fine, but you don't have the private key anymore, since MyCA.pvk was deleted.
If you don't specify file names for the private and public keys on the first command, i.e. do not include the -sv MyCA.pvk parameter and MyCA.cer, both the public and private keys will be added to the store. That means there will be no need to delete files because they won't be generated.
Also, if you open a management console, press [WIN]+[R] type mmc [Return], go to File -> Add/Remove Snap in -> Select "Certificates" -> "Add" -> "Computer Account" and then navigate the tree to Trusted Root Certificates\Certificates you will find MyCA in the left pane. You'll notice a small key on the icon and if you double click the certificate a message at the bottom of the General tab properties will state "You have a private key that corresponds to this certificate". That means you can use that certificate to sign a new one, like you're trying to do in with the second command.