Generate Exportable Certificate from .PEM Request

I have a certificate request from a colleague's Cisco Wireless LAN controller, in a .PEM format. I've been asked to generate a certificate from this request. As our CA in installed on our domain controller, we don't install the web server portion of the certificate authority, so I use certreq.exe to generate the certificate.

certreq -submit -attrib "CertificateTemplate:WebServer" certreq.pem certreq.cer

This generates a certificate correctly, which can be imported. However my colleague has requested that the key be marked as exportable. When I import the certificate into my workstation to test exporting, the option "Personal Information Exchange PKCS #12 (.PFX)" is greyed out.

I've also tried using a request.inf - certreq -new req.inf req.txt - with the below, but this just seems to generate a new request file, not an actual certificate. I need to use the request file from the Cisco WLAN Controller, otherwise it won't accept the generated certificate.

[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=wlan.domain.local,OU=IT,O=Company,L=London,S=London,C=UK"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xf0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
[RequestAttributes]
CertificateTemplate = WebServer

Open in new window


How can I get the request sent to me, to generate a certificate with a key that can be exported?
bjblackmoreAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
You can export a certificate, but not a pfx.

A pfx is a pkcs#12 container that contains the certifcate, its key, and any dependency-chain certs up to the CA.
a CSR does not contain the secret key, hence a machine that fulfils it cannot export a PFX.

That's fine though. usually a controller that has sent a CSR expects to get a PEM formatted cert (not pfx) back.

if you really need the pfx, you will need to find a way to export the secret key from the device, and use openssl (or xca) to combine that with your cert to form a pfx - or generate the CSR yourself (xca, for example, can create a "template" from an existing cert, and create a self signed or CA-signed certificate (or csr) from that using a freshly generated key - then export a PFX)
0
bjblackmoreAuthor Commented:
Thanks for the reply.

I think we can generate a key file from the controller. So you say I should be alble to take the cert.key file, and the cert.cer file, and combine them both using OpenSSL into a pfx file?
0
Dave HoweSoftware and Hardware EngineerCommented:
yes - assuming that is what you need to do.

the openssl command will be:

openssl pkcs12 -export in <certificate.pem> -inkey <privatekey.pem> -out <outfile.pfx>

if you need to include the CA cert from a separate file add:

-certfile <cafile.pem>

(replace filenames marked with <> with real filenames of course)

However usually, if you get a CSR from a controller, it is happy for you to just import a pem formatted certificate file back in, and combine them itself locally.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.