Solved

Generate Exportable Certificate from .PEM Request

Posted on 2014-07-28
3
880 Views
Last Modified: 2014-07-29
I have a certificate request from a colleague's Cisco Wireless LAN controller, in a .PEM format. I've been asked to generate a certificate from this request. As our CA in installed on our domain controller, we don't install the web server portion of the certificate authority, so I use certreq.exe to generate the certificate.

certreq -submit -attrib "CertificateTemplate:WebServer" certreq.pem certreq.cer

This generates a certificate correctly, which can be imported. However my colleague has requested that the key be marked as exportable. When I import the certificate into my workstation to test exporting, the option "Personal Information Exchange PKCS #12 (.PFX)" is greyed out.

I've also tried using a request.inf - certreq -new req.inf req.txt - with the below, but this just seems to generate a new request file, not an actual certificate. I need to use the request file from the Cisco WLAN Controller, otherwise it won't accept the generated certificate.

[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=wlan.domain.local,OU=IT,O=Company,L=London,S=London,C=UK"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xf0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
[RequestAttributes]
CertificateTemplate = WebServer

Open in new window


How can I get the request sent to me, to generate a certificate with a key that can be exported?
0
Comment
Question by:bjblackmore
  • 2
3 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40223770
You can export a certificate, but not a pfx.

A pfx is a pkcs#12 container that contains the certifcate, its key, and any dependency-chain certs up to the CA.
a CSR does not contain the secret key, hence a machine that fulfils it cannot export a PFX.

That's fine though. usually a controller that has sent a CSR expects to get a PEM formatted cert (not pfx) back.

if you really need the pfx, you will need to find a way to export the secret key from the device, and use openssl (or xca) to combine that with your cert to form a pfx - or generate the CSR yourself (xca, for example, can create a "template" from an existing cert, and create a self signed or CA-signed certificate (or csr) from that using a freshly generated key - then export a PFX)
0
 

Author Comment

by:bjblackmore
ID: 40223827
Thanks for the reply.

I think we can generate a key file from the controller. So you say I should be alble to take the cert.key file, and the cert.cer file, and combine them both using OpenSSL into a pfx file?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40224248
yes - assuming that is what you need to do.

the openssl command will be:

openssl pkcs12 -export in <certificate.pem> -inkey <privatekey.pem> -out <outfile.pfx>

if you need to include the CA cert from a separate file add:

-certfile <cafile.pem>

(replace filenames marked with <> with real filenames of course)

However usually, if you get a CSR from a controller, it is happy for you to just import a pem formatted certificate file back in, and combine them itself locally.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now