Solved

Generate Exportable Certificate from .PEM Request

Posted on 2014-07-28
3
864 Views
Last Modified: 2014-07-29
I have a certificate request from a colleague's Cisco Wireless LAN controller, in a .PEM format. I've been asked to generate a certificate from this request. As our CA in installed on our domain controller, we don't install the web server portion of the certificate authority, so I use certreq.exe to generate the certificate.

certreq -submit -attrib "CertificateTemplate:WebServer" certreq.pem certreq.cer

This generates a certificate correctly, which can be imported. However my colleague has requested that the key be marked as exportable. When I import the certificate into my workstation to test exporting, the option "Personal Information Exchange PKCS #12 (.PFX)" is greyed out.

I've also tried using a request.inf - certreq -new req.inf req.txt - with the below, but this just seems to generate a new request file, not an actual certificate. I need to use the request file from the Cisco WLAN Controller, otherwise it won't accept the generated certificate.

[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=wlan.domain.local,OU=IT,O=Company,L=London,S=London,C=UK"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xf0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
[RequestAttributes]
CertificateTemplate = WebServer

Open in new window


How can I get the request sent to me, to generate a certificate with a key that can be exported?
0
Comment
Question by:bjblackmore
  • 2
3 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40223770
You can export a certificate, but not a pfx.

A pfx is a pkcs#12 container that contains the certifcate, its key, and any dependency-chain certs up to the CA.
a CSR does not contain the secret key, hence a machine that fulfils it cannot export a PFX.

That's fine though. usually a controller that has sent a CSR expects to get a PEM formatted cert (not pfx) back.

if you really need the pfx, you will need to find a way to export the secret key from the device, and use openssl (or xca) to combine that with your cert to form a pfx - or generate the CSR yourself (xca, for example, can create a "template" from an existing cert, and create a self signed or CA-signed certificate (or csr) from that using a freshly generated key - then export a PFX)
0
 

Author Comment

by:bjblackmore
ID: 40223827
Thanks for the reply.

I think we can generate a key file from the controller. So you say I should be alble to take the cert.key file, and the cert.cer file, and combine them both using OpenSSL into a pfx file?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40224248
yes - assuming that is what you need to do.

the openssl command will be:

openssl pkcs12 -export in <certificate.pem> -inkey <privatekey.pem> -out <outfile.pfx>

if you need to include the CA cert from a separate file add:

-certfile <cafile.pem>

(replace filenames marked with <> with real filenames of course)

However usually, if you get a CSR from a controller, it is happy for you to just import a pem formatted certificate file back in, and combine them itself locally.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now