Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Generate Exportable Certificate from .PEM Request

Posted on 2014-07-28
3
Medium Priority
?
1,155 Views
Last Modified: 2014-07-29
I have a certificate request from a colleague's Cisco Wireless LAN controller, in a .PEM format. I've been asked to generate a certificate from this request. As our CA in installed on our domain controller, we don't install the web server portion of the certificate authority, so I use certreq.exe to generate the certificate.

certreq -submit -attrib "CertificateTemplate:WebServer" certreq.pem certreq.cer

This generates a certificate correctly, which can be imported. However my colleague has requested that the key be marked as exportable. When I import the certificate into my workstation to test exporting, the option "Personal Information Exchange PKCS #12 (.PFX)" is greyed out.

I've also tried using a request.inf - certreq -new req.inf req.txt - with the below, but this just seems to generate a new request file, not an actual certificate. I need to use the request file from the Cisco WLAN Controller, otherwise it won't accept the generated certificate.

[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=wlan.domain.local,OU=IT,O=Company,L=London,S=London,C=UK"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xf0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
[RequestAttributes]
CertificateTemplate = WebServer

Open in new window


How can I get the request sent to me, to generate a certificate with a key that can be exported?
0
Comment
Question by:bjblackmore
  • 2
3 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40223770
You can export a certificate, but not a pfx.

A pfx is a pkcs#12 container that contains the certifcate, its key, and any dependency-chain certs up to the CA.
a CSR does not contain the secret key, hence a machine that fulfils it cannot export a PFX.

That's fine though. usually a controller that has sent a CSR expects to get a PEM formatted cert (not pfx) back.

if you really need the pfx, you will need to find a way to export the secret key from the device, and use openssl (or xca) to combine that with your cert to form a pfx - or generate the CSR yourself (xca, for example, can create a "template" from an existing cert, and create a self signed or CA-signed certificate (or csr) from that using a freshly generated key - then export a PFX)
0
 

Author Comment

by:bjblackmore
ID: 40223827
Thanks for the reply.

I think we can generate a key file from the controller. So you say I should be alble to take the cert.key file, and the cert.cer file, and combine them both using OpenSSL into a pfx file?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 40224248
yes - assuming that is what you need to do.

the openssl command will be:

openssl pkcs12 -export in <certificate.pem> -inkey <privatekey.pem> -out <outfile.pfx>

if you need to include the CA cert from a separate file add:

-certfile <cafile.pem>

(replace filenames marked with <> with real filenames of course)

However usually, if you get a CSR from a controller, it is happy for you to just import a pem formatted certificate file back in, and combine them itself locally.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question