Certificates, OpenSSL, Windows

Create .pem/.key/.crt Files from a .pfx Certificate Using OpenSSL on Windows

  1. First off, go and get OpenSSL:

Now that you are installed and ready to go you should now have a browsable file path to OpenSSL (i.e. C:\OpenSSL)

2. Obtain your PFX file and (for simplicity) place your PFX file in your OpenSSL directory.

(In this example we will assume we have a .pfx file called mycertificate.pfx and your OpenSSL directory is C:\OpenSSL)

3. Run this in command prompt (in your OpenSSL directory) to get the .pem file:

openssl pkcs12 -in mycertificate.pfx -out mypemfile.pem

You should now have a .pem file generated from your PFX file.

4. Run this in command prompt (in your OpenSSL directory) to extract the encrypted private key:

openssl pkcs12 -in mypemfile.pem -out myencryptedkey.key

You should now have the extracted encrypted private key out of the .pem file.

5. Run this in command prompt (in your OpenSSL directory) to create a decrypted private key from the encrypted version

openssl rsa -in myencryptedkey.key -out mydecryptedkey.key

You should now have the decrypted private key from your encrypted version.

6. Run this in command prompt (in your OpenSSL directory) to extract a .crt file from your PFX file:

openssl pkcs12 -in mycertificate.pfx -clcerts -nokeys -out certificate.crt

You should now an extracted .crt file from the PFX file.

That’s it! You should now have encrypted/decrypted keys as well as your .pem and .crt versions of your original PFX files. Happy certificating (I need to coin that term). Questions are always welcome.

Active Directory, C#, Certificates, Programming

Programmatically Install A Root CA Certificate So Users Don’t Have To (C#)

So here’s the backstory: I received the task of improving certificate enrollment so that users can

1) Be verified via username, password, captcha & verification pin

2) Auto Enroll without an external approval

3) Simplify the process

As some of you already know, ADCS via web enrollment is…how can we say…dated. So I wrote an application that sits in front of ADCS to first verify the user. Once they are through then the web enrollment is configured to let them run the wizard through to installing their cert. The issue that came to me is that most end-users will not take the time to ensure the root CA makes it to the trusted store (thus giving the classic CA cert is not installed message). So I received the order from on-high to “do it for them”. At first I struggled, attempting to understand how this could be done. I spoke with Microsoft and as I already was aware they indicated that having the user choose the trusted root store for the CA is by design. So what to do…ah I know, let’s just script it out.

So this is as simple as it gets. Download the cert, store it on the local drive and use the built-in certmgr.exe to perform the root CA to trusted store installation. Here it is (this code is just one a basic console app):


using System.Security.Cryptography.X509Certificates;

WebClient webClient = new WebClient();
webClient.DownloadFile("https://yourserver.domain.com/CertSrv/certnew.cer?ReqID=CACert&Renewal=0&Mode=inst&Enc=b64", @"C:\Temp\certnew.cer");

X509Store store = new X509Store(StoreName.Root,
X509Certificate2Collection collection = new X509Certificate2Collection();
X509Certificate2 cert = new X509Certificate2(@"C:\Temp\certnew.cer");
byte[] encodedCert = cert.GetRawCertData();
Console.WriteLine("We are now installing the CA certificate into the Trusted Root Certificate store ...");
Console.WriteLine("Done! The CA certificate was successfully. Press any key to close.");

This finishes the root CA portion so they can fly through the rest of web enrollment. Hope this helps.