Answered by:
Is it possible to generate a PFX which automatically enables "Mark this key as exportable" during import?.

Question
-
Is there any special (maybe MS specific) PKCS #12 attribute that could be set during PFX generation that would allow "Mark this key as exportable. This will allow you to backup up or transport your keys at a later time" to be enabled automatically during PFX import in Windows 10 (using the "Certificate Import Wizard")?.
Answers
-
UI Wizard reads attributes only to add them to store and nothing else. Wizard do not process them in any special way.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.- Proposed as answer by Daisy ZhouMicrosoft contingent staff, Moderator Friday, November 15, 2019 2:07 AM
- Marked as answer by hablutzel1 Monday, November 18, 2019 9:44 PM
All replies
-
Hello,
Thank you for posting in our TechNet forum.
According to my understanding, we need to check the option "Mark this key as exportable. This will allow you to backup up or transport your keys at a later time" each time when we import certificates. It seems it is by design or hard coded, we can not make the option be checked automatically.
Thank you for your understanding and support.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.- Edited by Daisy ZhouMicrosoft contingent staff, Moderator Thursday, November 14, 2019 6:49 AM
-
No, it is no possible. Certificate Import Wizard UI doesn't read any attributes from PFX file.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool. -
I can see the following activity through Process Monitor just after pressing "Next" in the "File to Import" stage of the UI and you can see that the full PFX is read there at 5:11:07.8092532:
5:11:07.8083875 PM mmc.exe 4560 CreateFile C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx SUCCESS Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened 5:11:07.8084428 PM mmc.exe 4560 QueryNetworkOpenInformationFile C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx SUCCESS CreationTime: 11/13/2019 4:11:23 PM, LastAccessTime: 11/13/2019 4:11:23 PM, LastWriteTime: 11/13/2019 4:11:23 PM, ChangeTime: 11/13/2019 4:12:24 PM, AllocationSize: 8192, EndOfFile: 5226, FileAttributes: A 5:11:07.8084789 PM mmc.exe 4560 CloseFile C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx SUCCESS 5:11:07.8086733 PM mmc.exe 4560 CreateFile C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx SUCCESS Desired Access: Generic Read, Dis, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened 5:11:07.8087501 PM mmc.exe 4560 CreateFileMapping C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE 5:11:07.8087854 PM mmc.exe 4560 QueryStandardInformationFile C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx SUCCESS AllocationSize: 8,192, EndOfFile: 5,226, NumberOfLinks: 1, DeletePending: False, Directory: False 5:11:07.8088455 PM mmc.exe 4560 CreateFileMapping C: SUCCESS SyncType: SyncTypeOther 5:11:07.8089856 PM mmc.exe 4560 CloseFile C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx SUCCESS 5:11:07.8091589 PM mmc.exe 4560 CreateFile C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx SUCCESS Desired Access: Generic Read, Dis, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened 5:11:07.8092290 PM mmc.exe 4560 QueryStandardInformationFile C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx SUCCESS AllocationSize: 8,192, EndOfFile: 5,226, NumberOfLinks: 1, DeletePending: False, Directory: False 5:11:07.8092532 PM mmc.exe 4560 ReadFile C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx SUCCESS Offset: 0, Length: 5,226, Priority: Normal 5:11:07.8093030 PM mmc.exe 4560 CloseFile C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx SUCCESS 5:11:07.8162286 PM mmc.exe 4560 RegQueryKey HKLM SUCCESS Query: HandleTags, HandleTags: 0x0 5:11:07.8162605 PM mmc.exe 4560 RegOpenKey HKLM\Software\Policies\Microsoft\Cryptography SUCCESS Desired Access: Query Value 5:11:07.8162969 PM mmc.exe 4560 RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Cryptography\ForceKeyProtection NAME NOT FOUND Length: 16 5:11:07.8163247 PM mmc.exe 4560 RegCloseKey HKLM\SOFTWARE\Policies\Microsoft\Cryptography SUCCESS
So, is there any official statement on the fact that the Certificate Import Wizard UI doesn't read any PFX attributes in that stage?, or this can be confirmed only by looking at the source code of the Certificate Import Wizard (not public isn't it?) or maybe with something like an assembler debugger (e.g. OllyDbg)?.
- Edited by hablutzel1 Wednesday, November 13, 2019 10:46 PM
-
UI Wizard reads attributes only to add them to store and nothing else. Wizard do not process them in any special way.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.- Proposed as answer by Daisy ZhouMicrosoft contingent staff, Moderator Friday, November 15, 2019 2:07 AM
- Marked as answer by hablutzel1 Monday, November 18, 2019 9:44 PM
-
Hi,
If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?
Best Regards,
Daisy ZhouPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com. -
Hi Daisy, quoting from my previous message:
> is there any official statement on the fact that the Certificate Import Wizard UI doesn't read any PFX attributes in that stage?, or this can be confirmed only by looking at the source code of the Certificate Import Wizard (not public isn't it?) or maybe with something like an assembler debugger (e.g. OllyDbg)?.
-
> is there any official statement on the fact that the Certificate Import Wizard UI doesn't read any PFX attributes in that stage?
for any official statements you should ask Microsoft Premier Support, not forums.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.