Remove From My Forums

Is it possible to generate a PFX which automatically enables "Mark this key as exportable" during import?.

Question
0

Sign in to vote

Is there any special (maybe MS specific) PKCS #12 attribute that could be set during PFX generation that would allow "Mark this key as exportable. This will allow you to backup up or transport your keys at a later time" to be enabled automatically during PFX import in Windows 10 (using the "Certificate Import Wizard")?.

Tuesday, November 12, 2019 10:44 PM

Reply

|

Quote

Answers

0

Sign in to vote
UI Wizard reads attributes only to add them to store and nothing else. Wizard do not process them in any special way.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.
- Proposed as answer by Daisy ZhouMicrosoft contingent staff, Moderator Friday, November 15, 2019 2:07 AM
- Marked as answer by hablutzel1 Monday, November 18, 2019 9:44 PM
Thursday, November 14, 2019 8:45 PM

Reply

|

Quote

All replies

0

Sign in to vote
Hello，
Thank you for posting in our TechNet forum.

According to my understanding, we need to check the option "Mark this key as exportable. This will allow you to backup up or transport your keys at a later time" each time when we import certificates. It seems it is by design or hard coded, we can not make the option be checked automatically.

Thank you for your understanding and support.

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Daisy ZhouMicrosoft contingent staff, Moderator Thursday, November 14, 2019 6:49 AM
Wednesday, November 13, 2019 6:49 AM

Reply

|

Quote

Moderator
0

Sign in to vote

No, it is no possible. Certificate Import Wizard UI doesn't read any attributes from PFX file.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.

Wednesday, November 13, 2019 7:47 AM

Reply

|

Quote

I can see the following activity through Process Monitor just after pressing "Next" in the "File to Import" stage of the UI and you can see that the full PFX is read there at 5:11:07.8092532:

5:11:07.8083875 PM	mmc.exe	4560	CreateFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
5:11:07.8084428 PM	mmc.exe	4560	QueryNetworkOpenInformationFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	CreationTime: 11/13/2019 4:11:23 PM, LastAccessTime: 11/13/2019 4:11:23 PM, LastWriteTime: 11/13/2019 4:11:23 PM, ChangeTime: 11/13/2019 4:12:24 PM, AllocationSize: 8192, EndOfFile: 5226, FileAttributes: A
5:11:07.8084789 PM	mmc.exe	4560	CloseFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	
5:11:07.8086733 PM	mmc.exe	4560	CreateFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	Desired Access: Generic Read, Dis, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened
5:11:07.8087501 PM	mmc.exe	4560	CreateFileMapping	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	FILE LOCKED WITH ONLY READERS	SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
5:11:07.8087854 PM	mmc.exe	4560	QueryStandardInformationFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	AllocationSize: 8,192, EndOfFile: 5,226, NumberOfLinks: 1, DeletePending: False, Directory: False
5:11:07.8088455 PM	mmc.exe	4560	CreateFileMapping	C:	SUCCESS	SyncType: SyncTypeOther
5:11:07.8089856 PM	mmc.exe	4560	CloseFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	
5:11:07.8091589 PM	mmc.exe	4560	CreateFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	Desired Access: Generic Read, Dis, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened
5:11:07.8092290 PM	mmc.exe	4560	QueryStandardInformationFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	AllocationSize: 8,192, EndOfFile: 5,226, NumberOfLinks: 1, DeletePending: False, Directory: False
5:11:07.8092532 PM	mmc.exe	4560	ReadFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	Offset: 0, Length: 5,226, Priority: Normal
5:11:07.8093030 PM	mmc.exe	4560	CloseFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	
5:11:07.8162286 PM	mmc.exe	4560	RegQueryKey	HKLM	SUCCESS	Query: HandleTags, HandleTags: 0x0
5:11:07.8162605 PM	mmc.exe	4560	RegOpenKey	HKLM\Software\Policies\Microsoft\Cryptography	SUCCESS	Desired Access: Query Value
5:11:07.8162969 PM	mmc.exe	4560	RegQueryValue	HKLM\SOFTWARE\Policies\Microsoft\Cryptography\ForceKeyProtection	NAME NOT FOUND	Length: 16
5:11:07.8163247 PM	mmc.exe	4560	RegCloseKey	HKLM\SOFTWARE\Policies\Microsoft\Cryptography	SUCCESS

So, is there any official statement on the fact that the Certificate Import Wizard UI doesn't read any PFX attributes in that stage?, or this can be confirmed only by looking at the source code of the Certificate Import Wizard (not public isn't it?) or maybe with something like an assembler debugger (e.g. OllyDbg)?.

Edited by hablutzel1 Wednesday, November 13, 2019 10:46 PM

Wednesday, November 13, 2019 10:37 PM

0

Sign in to vote
UI Wizard reads attributes only to add them to store and nothing else. Wizard do not process them in any special way.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.
- Proposed as answer by Daisy ZhouMicrosoft contingent staff, Moderator Friday, November 15, 2019 2:07 AM
- Marked as answer by hablutzel1 Monday, November 18, 2019 9:44 PM
Thursday, November 14, 2019 8:45 PM

Reply

|

Quote
0

Sign in to vote

Hi,
If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, November 18, 2019 1:43 AM

Reply

|

Quote

Moderator
0

Sign in to vote

Hi Daisy, quoting from my previous message:

> is there any official statement on the fact that the Certificate Import Wizard UI doesn't read any PFX attributes in that stage?, or this can be confirmed only by looking at the source code of the Certificate Import Wizard (not public isn't it?) or maybe with something like an assembler debugger (e.g. OllyDbg)?.

Monday, November 18, 2019 5:52 PM

Reply

|

Quote
0

Sign in to vote

> is there any official statement on the fact that the Certificate Import Wizard UI doesn't read any PFX attributes in that stage?

for any official statements you should ask Microsoft Premier Support, not forums.
Vadims Podāns, aka Crypt32
My weblog: www.sysadmins.lv
PowerShell PKI Module: PSPKI
Check out new: SSL Certificate Verifier
Check out new: ASN.1 Editor tool.

Monday, November 18, 2019 9:18 PM

Reply

|

Quote

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Is it possible to generate a PFX which automatically enables "Mark this key as exportable" during import?.

Question

Answers

All replies