Search code examples
windowspowershellopensslpkipfx

Convert vault PKI issued certificate to PFX format to be stored in windows


We have an internal Vault PKI used to generate certificates for Linux and windows machines.
For windows I'm using this package to communicate with the vault API 

   <# ...
    code to deal with the authentication with the vault PKI
    ... #>
   # generate a certificate 
   $hostname=hostname
   $certData=Write-VltData "pki_int/issue/$hostname" -Data @{ ttl="1440h"; common_name=$hostname; }

the content of the issued certificate

To store this certificate I need to convert it to .pfx format, so I have the following: 


$data.certificate | out-file "c:\certs\server.crt" -Encoding "UTF8" -force
$data.private_key | out-file "c:\certs\server.key" -Encoding "UTF8" -force

and I've installed openssl to convert the certificate and the private key to pfx format


openssl pkcs12 -export -out C:\certs\server.pfx -inkey C:\certs\server.key -in C:\certs\server.crt -passout pass:
Import-PfxCertificate -FilePath C:\certs\server.pfx -CertStoreLocation Cert:\LocalMachine\My

but the last cmdlet throws me this error: the result of the cmdlet Import-PfxCertificate

I also tried to manually import the certificate but I got the following window which prompts for password, even if I didn't specify any pass during the conversion.

mmc.exe

My question at last(I know you've been waiting too), how to successfully import the PFX certificate ? N.B:

  • I'm working on a windows machine 2016
  • The powershell version is 5.1
Solution

  • I'm sorry for not updating this questions, got other stuff in the middle.
    So after struggling with this for hours, we found out that the version of windows I was using windows 2016 server which the OS build was less than 1703 doesn't support importing pfx certificates generated by AES256-SHA256 encryption so we changed it to TripleDES-SHA1 at exporting time AND setting the algorithm to SHA1 which wasn't set by default by the openssl command, so the following command did the trick for us:

    openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg SHA1

    this command will prompt for password that will be used later to export the pfx certificate to the windows store, if you don't want to have any password you can add this argument to the above command -passout pass: