I created a self signed certificate in Windows 10 using New-SelfSignedCertificate function as below:
New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject "CN=VBA Code Signing" -KeyAlgorithm RSA -KeyLength 2048 -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -KeyExportPolicy Exportable -KeyUsage DigitalSignature -Type CodeSigningCert
I exported the certificate including the private key and installed in another machine. However, the macro is still being blocked in the second machine. The macro settings is "Disable all macros except digitally signed macros"
Does anybody know why is this happening?
Thanks
Related
We have an Azure Function (.NET 4.7.2) running for a year that sends messages to a webservice using a client certificate. This certificate has to be renewed but now we have done that we are getting this exception when sending a message;
System.Security.Cryptography.CryptographicException: Invalid provider type specified.
Azure has problems reading the private key and the problem seems to be exporting it from my local machine. Could this problem originate from the original CSR? The previous certificate still works fine, as long as it's valid. Note that I can send messages using the new certificate from my local machine.
Things I have tried;
Using all combinations of MMC settings to export the .pfx file
Using the answer in https://stackoverflow.com/a/34103154/6033193 to convert the cert key to the RSA format and upload the new resulting .pfx
Using CertUtil.exe -store -user my to compare the new and the old certificate. They both have Provider Microsoft Enhanced Cryptographic Provider v1.0 and, apart from the hashes and names, look the same.
Removing Azure Key Vault from the setup and uploading the pfx directly to the app service
Reading the .pfx from a local folder and using it like this: new X509Certificate2(certByes, "password", X509KeyStorageFlags.PersistKeySet);. This works so something seems to be going wrong when uploading the .pfx file to the Azure portal.
Any more things I can try?
The provider that worked for the previous certificate no longer works for the new certificate. I have a hunch something is wrong with the encryption because the Bag Attributes contained no LocalKeyID information, but I cannot say for sure.
Anyway, changing the provider to "Microsoft Platform Crypto Provider" made the private key accessible in Azure. Using OpenSSL:
First export the .key and the public .pem part from the .pfx file;
openssl pkcs12 -in cert.pfx -out cert_publicpart.pem -nokeys
openssl pkcs12 -in cert.pfx -out cert_privatekey.key -nocerts
If it's encrypted it will ask for your password after each command.
Then, convert it back to a .pfx specifying the provider;
openssl pkcs12 -export -in cert_publicpart.pem -inkey cert_privatekey.key -out cert_newCSP.pfx -CSP "Microsoft Platform Crypto Provider"
Again, specify a password and the new .pfx should be good to go!
Optional, if you'd want to verify the CSP:
openssl pkcs12 -in "cert_newCSP.pfx" -out "cert_newCSP.pem"
Open the .pem file, find -----BEGIN ENCRYPTED PRIVATE KEY----- and look for Microsoft CSP Name: Microsoft Platform Crypto Provider right above that.
Background
We have MS Azure cloud hosting
Purchased a wildcard SSL certificate for my domain from a 3rd party (not Microsoft)
Created a CSR file + private key file
Used these & have been issued x509 and PKCS7 certs from SSL issuer
Azure requires a PFX file, so have been attempting to follow the ssl.com tutorial here: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
Issue
Running the openssl command in terminal on my local machine (breaks inserted for readability)
openssl pkcs12 -export -out certificate.pfx -password pass:somepassword
-inkey domain.key -in certificate.crt
I receive the following error:
140735704675208:error:0906D06C:PEM routines:PEM_read_bio:no start line
:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/crypto/pem/pem_lib.c:704:
Expecting: ANY PRIVATE KEY
But I've supplied the key? I'm confused. I'm an SSL beginner when it comes to Azure. What am I doing wrong?
Note, I included the -password parameter because MS Azure expects PFX files to be password protected. This is not optional: they HAVE to be protected.
EDIT
Having regenerated a CSR & Key using Openssl, I get a new error that the key file isn't valid. To ensure I'm not missing something obvious:
What do I do with the X509?
What do I do with the PKCS7?
Got bored messing about with openssl and terminal so found a GUI to do it. Steps:
Copy X509 contents, paste into code editor, save as cert.pem
Copy private key, paste into code editor, save as private.key
Go to https://help.configuressl.com/ssl-tools/ssl-converter/, upload both
Set password
Export as PFX
This generates a password protected PFX which can then be uploaded to Azure.
I have an externally hosted iis webserver where i run my website. I would like to add a self signed certificate to this website and trust it on my local client, to remove "Insecure Connection" from the browser.
What i have done so far is the following
Created a self signed certificate in IIS: Server Certificates -> Create self signed Certificate. The cert is issued to the servername e.g "ABCD01"
Created a website with a https binding using the self signed certificate.
Exported the self signed certificate from IIS using: Server Certificates -> Export. This resulted in an .pfx file
Imported the .pfx cert file on the local client: manage computer certificates -> Trusted Root certification authorities -> import
Added the hostname (ABCD01) and ip of the host to the hosts file: C:\Windows\System32\drivers\etc\hosts
When i try to open the website in firefox (using https://ABCD01), i still get the "Your connection is not secure". What am i missing?
There are multiple issues:
IIS certificate generator creates self-signed certificates with SHA1 signature algorithm which is obsolete in modern browsers. You have to use different tools to create test certificates. For example, use PowerShell New-SelfSignedCertificate cmdlet where you can specify signature algorithm. Look at this post to get an example: https://stackoverflow.com/a/45284368/3997611
New-SelfSignedCertificate `
-DnsName "ABCD01" `
-CertStoreLocation "cert:\LocalMachine\My" `
-FriendlyName "test dev cert" `
-TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.1" `
-KeyUsage DigitalSignature,KeyEncipherment,DataEncipherment `
-Provider "Microsoft RSA SChannel Cryptographic Provider" `
-HashAlgorithm "SHA256"
IIS certificate generator cannot build certificate with SAN (Subject Alternative Names) certificate extension which is required in Google Chrome. You have to use different tools to create test certificates. Look at the example above for reference.
Google Chrome uses built-in Windows Certificate store to establish a trust, while FireFox uses its own certificate store. Therefore, after adding the certificate to Windows certificate store, you have to import your test certificate to FireFox manually.
For our point to site VPN, we want to create a root certificate.
So we can create as many client certificates as we want for all the partners that have the need to login in our VPN. (Azure virtual network)
Doing this manually works perfect. We generate a certificate (self signed) that acts as root ca. We are able to do this in powershell like this:
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=Kratos Point To Site VPN Root Certificate Win10" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
$clientCert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=Digicreate Point To Site VPN Client Certificate Win10" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
However, we prefer to use the key vault for our certificate management. The idea is to create a certificate directly in the key vault by using this command:
Add-AzureKeyVaultCertificate (with the private key not exportable)
Creating the root certificate works perfectly. But I am not able to find how I can sign a new certificate with the 'sign' operations in the key vault.
Do you have a sample on how to this?
Refer to the "Create a certificate manually and get signed by a CA" section in https://blogs.technet.microsoft.com/kv/2016/09/26/get-started-with-azure-key-vault-certificates/
but I would like to create a client certificate based on this root
certificate with azure key vault cmdlets. Is this possible?
Do you mean you want to download the certificate? if yes, we can use this script to download it:
download Private certificate to your D:\cert:
$kvSecret = Get-AzureKeyVaultSecret -VaultName 'jasontest2' -Name 'TestCert01'
$kvSecretBytes = [System.Convert]::FromBase64String($kvSecret.SecretValueText)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, 'test')
$pfxPath = 'D:\cert\test.pfx'
[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)
Download public certificate to your D:\cert:
$cert = Get-AzureKeyVaultCertificate -VaultName 'jasontest2' -Name 'TestCert01'
$filePath ='D:\cert\TestCertificate.cer'
$certBytes = $cert.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
[System.IO.File]::WriteAllBytes($filePath, $certBytes)
Update:
The $certificateOperation.CertificateSigningRequest is the base4 encoded certificate signing request for the certificate.
Import-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -FilePath C:\test\OutputCertificateFile.cer
More information please refer to this blog.
Update:
We should sign the CertificateSignRequest with the sign operation with your CA server.
Enterprise certificate:
If you are using an enterprise certificate
solution, generate a client certificate with the common name value
format 'name#yourdomain.com', rather than the 'domain name\username'
format. Make sure the client certificate is based on the 'User'
certificate template that has 'Client Authentication' as the first
item in the use list, rather than Smart Card Logon, etc. You can check
the certificate by double-clicking the client certificate and viewing
Details > Enhanced Key Usage.
I am using java's KeyTool to generate a self-signed certificate. Just wanted to know if there is a way to create a self signed certificate with a Private Key that has no password.
I know OpenSsl does allow you to do that.