Solved

Generate Exportable Certificate from .PEM Request

Posted on 2014-07-28
3
931 Views
Last Modified: 2014-07-29
I have a certificate request from a colleague's Cisco Wireless LAN controller, in a .PEM format. I've been asked to generate a certificate from this request. As our CA in installed on our domain controller, we don't install the web server portion of the certificate authority, so I use certreq.exe to generate the certificate.

certreq -submit -attrib "CertificateTemplate:WebServer" certreq.pem certreq.cer

This generates a certificate correctly, which can be imported. However my colleague has requested that the key be marked as exportable. When I import the certificate into my workstation to test exporting, the option "Personal Information Exchange PKCS #12 (.PFX)" is greyed out.

I've also tried using a request.inf - certreq -new req.inf req.txt - with the below, but this just seems to generate a new request file, not an actual certificate. I need to use the request file from the Cisco WLAN Controller, otherwise it won't accept the generated certificate.

[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=wlan.domain.local,OU=IT,O=Company,L=London,S=London,C=UK"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xf0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
[RequestAttributes]
CertificateTemplate = WebServer

Open in new window


How can I get the request sent to me, to generate a certificate with a key that can be exported?
0
Comment
Question by:bjblackmore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40223770
You can export a certificate, but not a pfx.

A pfx is a pkcs#12 container that contains the certifcate, its key, and any dependency-chain certs up to the CA.
a CSR does not contain the secret key, hence a machine that fulfils it cannot export a PFX.

That's fine though. usually a controller that has sent a CSR expects to get a PEM formatted cert (not pfx) back.

if you really need the pfx, you will need to find a way to export the secret key from the device, and use openssl (or xca) to combine that with your cert to form a pfx - or generate the CSR yourself (xca, for example, can create a "template" from an existing cert, and create a self signed or CA-signed certificate (or csr) from that using a freshly generated key - then export a PFX)
0
 

Author Comment

by:bjblackmore
ID: 40223827
Thanks for the reply.

I think we can generate a key file from the controller. So you say I should be alble to take the cert.key file, and the cert.cer file, and combine them both using OpenSSL into a pfx file?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40224248
yes - assuming that is what you need to do.

the openssl command will be:

openssl pkcs12 -export in <certificate.pem> -inkey <privatekey.pem> -out <outfile.pfx>

if you need to include the CA cert from a separate file add:

-certfile <cafile.pem>

(replace filenames marked with <> with real filenames of course)

However usually, if you get a CSR from a controller, it is happy for you to just import a pem formatted certificate file back in, and combine them itself locally.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vWLC DHCP issues 36 100
Rdp session freeze periodically in FORTIGATE ssl vpn 2 77
Bizarre IP Address / Port Blocking Windows 7 13 58
Cisco Licensing for Wi Fi 4 49
Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question