none
Azure VPN - How can I export and import client certificate using PowerShell script without password-error? RRS feed

  • Question

  • Background

    I have original p2s application with client certificate developed with WCF. It is very similar to Azure VPN service in that it uses client certificate. In the internet, I could not find any useful information about p2s client certificate except Azure VPN.

    With reference to following Azure VPN documents, I wrote PowerShell script for exporting and importing the client certificate to the client computer and executed it.

    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

    https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-how-to-vpn-client-install-azure-cert

     

    Problem

    But password error is displayed when trying to import the client certificate .

    The procedures that I executed is as follows.

    1. I exported the pfx file using PowerShell script with the password.( Please refer below - Power Shell script for exporting client certificate. )

    2. I copied the pfx file to client computer.

    3. I double-clicked the pfx file of the client computer. (Import-wizard has started).

    4. Select Current User and pushed "NEXT" button.

    5. Pushed "NEXT" button.

    6. Enter password and Pushed "NEXT" button (Then the dialog box with "The password you entered is incorrect." was displayed. Please refer bellow for detailed error.

     

    Import-PfxCertificate : The PFX file you are trying to import requires either a different password or membership in an Active Directory principal

    to which it is protected.

    At C:\Work\TestService2\test_import.ps1:11 char:1

    + Import-PfxCertificate -Password $secure_pwd -FilePath "${client_cert_ ...

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        + CategoryInfo : NotSpecified: (:) [Import-PfxCertificate], Win32Exception

        + FullyQualifiedErrorId : System.ComponentModel.Win32Exception,Microsoft.CertificateServices.Commands.ImportPfxCertificate

     

    In the case that pfx file is exported manually using certificate-export-wizard, certificate-import-wizard success and my application works fine.

     

    Question

    In Azure, how can I export and import client certificate using PowerShell script?

    Is it because that PowerShell's export-pfxCertificate command can not includes Secret key?

    Best regards.

     

    C# Source code of the application

    cf.Credentials.ClientCertificate.SetCertificate(

                                StoreLocation.CurrentUser, StoreName.Root,

                                X509FindType.FindBySubjectName, "FirstClientCert"

                                );

     

    Power Shell script for exporting client certificate

    $current_directory = 'D:\Work\TestService2'

    $root_cert_name = 'FirstRootCert'

    $client_cert_name = 'FirstClientCert'

    #$imd_sert_name = 'FirstImdCert'

    $pwd = 'xxxxxxxx'

    $port_no = 5000

    $service_guid = '541eea84-c788-4d23-b6b2-f5210xxxx5c5'

     

    #1. Change the current directory.

    Set-Location $current_directory

     

    #2. Encrypt the password.

    [System.Security.SecureString]$secure_pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText

     

    #3. Create a root certificate.

    $root_cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=${root_cert_name}" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

     

    #4. Export personal information exchange file and private key from root certificate.

    [String]$rootCertPath = Join-Path -Path 'cert:\CurrentUser\My\' -ChildPath "$($root_cert.Thumbprint)"

    Export-PfxCertificate -Cert $rootCertPath -FilePath "${root_cert_name}.pfx" -Password $secure_pwd

    Export-Certificate -Cert $rootCertPath -FilePath "${root_cert_name}.crt"

     

    #5. Create a client certificate.

    $client_cert = New-SelfSignedCertificate -Type Custom -DnsName $client_cert_name -KeySpec Signature -Subject "CN=${client_cert_name}" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $root_cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

     

    #6. Export personal information exchange file and private key from client certificate.

    [String]$rootCertPath = Join-Path -Path 'cert:\CurrentUser\My\' -ChildPath "$($client_cert.Thumbprint)"

    Export-PfxCertificate -Cert $rootCertPath -FilePath "${client_cert_name}.pfx" -Password $secure_pwd

    Export-Certificate -Cert $rootCertPath -FilePath "${client_cert_name}.crt"

     

     

    Power Shell script for importing client certificate

    $current_directory = 'C:\Work\TestService2'

    $client_cert_name = 'FirstClientCert'

    $pwd = 'xxxxxxxx'

     

    #1. Change the current directory.

    Set-Location $current_directory

     

    #2. Encrypt the password.

    [System.Security.SecureString]$secure_pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText

     

    #3. Import PFX file.

    Import-PfxCertificate -Password $secure_pwd -FilePath "${client_cert_name}.pfx" -CertStoreLocation 'Cert:\CurrentUser\My'

    Monday, November 18, 2019 1:38 PM

All replies

  • Are you referring to any document to perform this operation?

    What specific Azure service are you using?

    Would be glad to help if you could provide more background about your scenario.

    Wednesday, November 20, 2019 6:52 AM
  • Hi, thank you for your reply.

    I referd this.

    https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

    And this.

    https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-how-to-vpn-client-install-azure-cert

    And I am not using any Azure service.

    I have p2s service that works on windows .NET Framework.

    It has to be accessed from any plat-form that supports Https protocol.

    I think Azure service is p2s service and there are a lot of documents and information about its security settings, so I selected this forum to post a question.

    My question is, in other words, "How can I export and import client certificate using PowerShell script without password-error?"

    Best regards.





    • Edited by first2018 Thursday, November 21, 2019 1:27 AM b
    Thursday, November 21, 2019 1:17 AM
  • hi, SadiqhAhmed-MSFT, May I ask why did you think that this question is not related to Azure? And suited in Windows forum? At this moment, I want this question not to be moved without the reason why it is not related with Azure. best regards.
    • Edited by first2018 Sunday, November 24, 2019 6:22 PM z
    Sunday, November 24, 2019 6:13 PM
  • As my last reply to your question, My case is similar with Azure vpn client certificate procedure. In Azure, are not there cases required scripting for export or import client certificate?
    • Edited by first2018 Sunday, November 24, 2019 6:37 PM z
    Sunday, November 24, 2019 6:35 PM
  • Azure forums are dedicated to offer help on any Azure service being used by our customers. Since, you're not using any Azure service, your query would not be a good fit in the Azure forum. I had a discussion with the networking folks around me and they said, non Azure query cannot be handled within Azure forums. Hence, moved your query to windows forum to get some traction from the right audience.
    Monday, November 25, 2019 8:57 AM