none
How to export certificate using certutil tool from WS 2003 Enterprise CA? RRS feed

  • Question

  • Hi everyone!

    I need help in exporting ceritificate to PFX file using Certutil command line tool from Windows Server 2003 Enterprise CA without an option to include all certificates in the certification path enabled.

    This is required to support mutual certificate-based authentication between SCOM Agent and SCOM Management Server. SCOM Agent is configured for certificate-based authentication using MOMCertImport command line tool. This tool accepts PFX file only as command line parameter.

    I am using the following command on the Issuing CA to export certificate to PFX file:

    certutil -exportpfx -p <Password> <CertID> <PFXFile>

    However, certificate which is then created is not accepted by the MOMCertImport tool. It seems that this issue is caused by the fact that certificate file itself (PFX) also includes all certificates from the certification path.

    The following error is thrown out by the MOMCertImport tool:

            The certificate is valid, but importing it to certificate store failed.
            Error description: Catastrophic failure
            Error code:8000FFFF

            ImportPFXCertificate failed: Catastrophic failure
            Error code: 8000FFFF

    If I export certificate manually from the MMC Console, I am then able to deselect the option Include all certificates in the certification path if possible. PFX file created that way is then accepted by the MOMCertImport tool. Unfortunately, this whole process should be done from command line only, so no GUI should be used.

    So, if anyone knows how to use Certutil command line tool to export certificate into PFX file without an option to include all certificates in the certification path enabled, please help. Any help is greatly appreciated.

    Thanks a lot in advance.

    Best regards,

    Vedran Matica

     

    Monday, May 3, 2010 10:01 AM

Answers

  • I have come up with the VBScript script which exports certificates from the Local Machine Personal store into PFX file with the IncludeOption set to save only the end entity certificate.

    Here it is:

    Const CAPICOM_STORE_SAVE_AS_PFX = 0
    Const CAPICOM_LOCAL_MACHINE_STORE = 1
    Const CAPICOM_STORE_OPEN_EXISTING_ONLY = 128
    Const CAPICOM_CERTIFICATE_INCLUDE_END_ENTITY_ONLY = 2
    Const CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME = 0
    
    Set Store = CreateObject("CAPICOM.Store")
    Store.Open CAPICOM_LOCAL_MACHINE_STORE, "My", CAPICOM_STORE_OPEN_EXISTING_ONLY
    
    Set colCertificates = Store.Certificates
    For Each objCertificate In colCertificates
    		objCertificate.Save "C:\" & objCertificate.GetInfo(CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME) & ".pfx", "Password", CAPICOM_STORE_SAVE_AS_PFX, CAPICOM_CERTIFICATE_INCLUDE_END_ENTITY_ONLY
    Next
    
    This script can be used instead on the CA server to export certificate into PFX file which can then be used with the MOMCertImport tool.
    • Marked as answer by Vedran Matica Tuesday, May 4, 2010 11:36 AM
    Tuesday, May 4, 2010 11:35 AM

All replies

  • It is not a good idea to generate certificate requests on CA server and export file to PFX. Instead you should generate certificate request on managed computer and install issued certificate in CER format. I have posted some scripts that will do this stuff:

    New-OpsMgrRequest and Install-OpsMgrCertificate (revisited)


    http://www.sysadmins.lv
    Monday, May 3, 2010 12:00 PM
  • Thanks for the link. Unfortunately, for some reason, I can't have PowerShell on managed computer. Plus, I suppose that RPC ports between managed computer and CA server must be opened to support your approach, which is also not possible in my environment.

    Why is it not good idea? My approach is based on the document  OpsMgr2007 Certificate Management (Commands and Scripts for Certificate Deployment) provided by Microsoft Services.

     

    Thanks,

    Vedran

    Monday, May 3, 2010 12:14 PM
  • > Plus, I suppose that RPC ports between managed computer and CA server must be opened to support your approach, which is also not possible in my environment.

    no. This scipt only generates certificate requests. It is common scenario when managed computer has no network access to CA server. So you will need to manually transfer request file to CA server and submit it. When CA issued certificate you need to transfer issued certificate back to managed computer.

    Thanks for the document. However I cannot agree with OpsMgr product team with this point. They recommend to generate certificate requests on CA server or other domain computer, manually export issued certificate with corresponding private key and install it back to managed computer. As far as I'm experienced in PKI I don't think that this is a good practice. Instead I believe this is bad practice. The only reason when you want to mark private key as exportable — for personal EFS certificate backup purposes. In domain environment this can be solved by implementing Key Archival.


    http://www.sysadmins.lv
    Monday, May 3, 2010 1:02 PM
  • Though I agree with Vadims that you should not generate CSRs on CA server this might help you to export the certificate without the entire chain.

     

     certutil -exportpfx -p <Password> <CertID> <PFXFile> "NoChain,NoRoot"

    Tuesday, May 4, 2010 8:25 AM
  • certutil -exportpfx -p <Password> <CertID> <PFXFile> "NoChain,NoRoot"

     

    I'm afraid this does not work on Windows Server 2003. It works on Windows 7.

    Tuesday, May 4, 2010 8:34 AM
  • I have come up with the VBScript script which exports certificates from the Local Machine Personal store into PFX file with the IncludeOption set to save only the end entity certificate.

    Here it is:

    Const CAPICOM_STORE_SAVE_AS_PFX = 0
    Const CAPICOM_LOCAL_MACHINE_STORE = 1
    Const CAPICOM_STORE_OPEN_EXISTING_ONLY = 128
    Const CAPICOM_CERTIFICATE_INCLUDE_END_ENTITY_ONLY = 2
    Const CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME = 0
    
    Set Store = CreateObject("CAPICOM.Store")
    Store.Open CAPICOM_LOCAL_MACHINE_STORE, "My", CAPICOM_STORE_OPEN_EXISTING_ONLY
    
    Set colCertificates = Store.Certificates
    For Each objCertificate In colCertificates
    		objCertificate.Save "C:\" & objCertificate.GetInfo(CAPICOM_CERT_INFO_SUBJECT_SIMPLE_NAME) & ".pfx", "Password", CAPICOM_STORE_SAVE_AS_PFX, CAPICOM_CERTIFICATE_INCLUDE_END_ENTITY_ONLY
    Next
    
    This script can be used instead on the CA server to export certificate into PFX file which can then be used with the MOMCertImport tool.
    • Marked as answer by Vedran Matica Tuesday, May 4, 2010 11:36 AM
    Tuesday, May 4, 2010 11:35 AM