none
Is it possible to generate a PFX which automatically enables "Mark this key as exportable" during import?. RRS feed

  • Question

  • Is there any special (maybe MS specific) PKCS #12 attribute that could be set during PFX generation that would allow "Mark this key as exportable. This will allow you to backup up or transport your keys at a later time" to be enabled automatically during PFX import in Windows 10 (using the "Certificate Import Wizard")?.
    Tuesday, November 12, 2019 10:44 PM

Answers

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    According to my understanding, we need to check the option "Mark this key as exportable. This will allow you to backup up or transport your keys at a later time" each time when we import certificates. It seems it is by design or hard coded, we can not make the option be checked automatically.

    Thank you for your understanding and support.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 13, 2019 6:49 AM
    Moderator
  • No, it is no possible. Certificate Import Wizard UI doesn't read any attributes from PFX file.

    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Wednesday, November 13, 2019 7:47 AM
  • I can see the following activity through Process Monitor just after pressing "Next" in the "File to Import" stage of the UI and you can see that the full PFX is read there at 5:11:07.8092532:
    5:11:07.8083875 PM	mmc.exe	4560	CreateFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	Desired Access: Read Attributes, Dis, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
    5:11:07.8084428 PM	mmc.exe	4560	QueryNetworkOpenInformationFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	CreationTime: 11/13/2019 4:11:23 PM, LastAccessTime: 11/13/2019 4:11:23 PM, LastWriteTime: 11/13/2019 4:11:23 PM, ChangeTime: 11/13/2019 4:12:24 PM, AllocationSize: 8192, EndOfFile: 5226, FileAttributes: A
    5:11:07.8084789 PM	mmc.exe	4560	CloseFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	
    5:11:07.8086733 PM	mmc.exe	4560	CreateFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	Desired Access: Generic Read, Dis, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened
    5:11:07.8087501 PM	mmc.exe	4560	CreateFileMapping	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	FILE LOCKED WITH ONLY READERS	SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE
    5:11:07.8087854 PM	mmc.exe	4560	QueryStandardInformationFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	AllocationSize: 8,192, EndOfFile: 5,226, NumberOfLinks: 1, DeletePending: False, Directory: False
    5:11:07.8088455 PM	mmc.exe	4560	CreateFileMapping	C:	SUCCESS	SyncType: SyncTypeOther
    5:11:07.8089856 PM	mmc.exe	4560	CloseFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	
    5:11:07.8091589 PM	mmc.exe	4560	CreateFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	Desired Access: Generic Read, Dis, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened
    5:11:07.8092290 PM	mmc.exe	4560	QueryStandardInformationFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	AllocationSize: 8,192, EndOfFile: 5,226, NumberOfLinks: 1, DeletePending: False, Directory: False
    5:11:07.8092532 PM	mmc.exe	4560	ReadFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	Offset: 0, Length: 5,226, Priority: Normal
    5:11:07.8093030 PM	mmc.exe	4560	CloseFile	C:\Users\hablu\Desktop\John_Doe_test_certificate.pfx	SUCCESS	
    5:11:07.8162286 PM	mmc.exe	4560	RegQueryKey	HKLM	SUCCESS	Query: HandleTags, HandleTags: 0x0
    5:11:07.8162605 PM	mmc.exe	4560	RegOpenKey	HKLM\Software\Policies\Microsoft\Cryptography	SUCCESS	Desired Access: Query Value
    5:11:07.8162969 PM	mmc.exe	4560	RegQueryValue	HKLM\SOFTWARE\Policies\Microsoft\Cryptography\ForceKeyProtection	NAME NOT FOUND	Length: 16
    5:11:07.8163247 PM	mmc.exe	4560	RegCloseKey	HKLM\SOFTWARE\Policies\Microsoft\Cryptography	SUCCESS	
    
    So, is there any official statement on the fact that the Certificate Import Wizard UI doesn't read any PFX attributes in that stage?, or this can be confirmed only by looking at the source code of the Certificate Import Wizard (not public isn't it?) or maybe with something like an assembler debugger (e.g. OllyDbg)?.

    • Edited by hablutzel1 Wednesday, November 13, 2019 10:46 PM
    Wednesday, November 13, 2019 10:37 PM
  • UI Wizard reads attributes only to add them to store and nothing else. Wizard do not process them in any special way.

    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Thursday, November 14, 2019 8:45 PM
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 18, 2019 1:43 AM
    Moderator
  • Hi Daisy, quoting from my previous message:

    > is there any official statement on the fact that the Certificate Import Wizard UI doesn't read any PFX attributes in that stage?, or this can be confirmed only by looking at the source code of the Certificate Import Wizard (not public isn't it?) or maybe with something like an assembler debugger (e.g. OllyDbg)?.

    Monday, November 18, 2019 5:52 PM
  • is there any official statement on the fact that the Certificate Import Wizard UI doesn't read any PFX attributes in that stage?

    for any official statements you should ask Microsoft Premier Support, not forums.


    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Monday, November 18, 2019 9:18 PM