I have an app which imports one certificate stored in a PFX file and requires users to provide the alias of the one and only certificate to import. Some users maintain their certificates using the Windows cert store and export them from there into PFX files and want to upload those files into my app in the end. Certs are exported either manually using certmgr.msc or e.g. using some Powershell script using Export-PfxCertificate.
The problem is that alias names generated in both ways seem to be unpredictable GUIDs or something. Though, when exporting the same certificate over and over again, the alias name is stable and doesn't seem to change at all. OTOH, it doesn't seem to be that easy to apply some alias name in the cert store and export using that, Windows still generates something looking like a GUID. Additionally, I don't see any argument to Export-PfxCertificate to specify a custom alias name.
C:\Users\tschoening>keytool -v -list -storetype pkcs12 -keystore Desktop\tschoening_ps.pfx
Keystore-Kennwort eingeben:
Keystore-Typ: PKCS12
Keystore-Provider: SUN
Keystore enthält 1 Eintrag
Aliasname: 2fb763d2-f1fa-4820-8caf-f73e011ee4d1
For different tested certificates the alias even looks slightly different:
Aliasname: {a16a26b0-7d2e-4366-95b9-40f06b45b578}
certutil provides similar output:
C:\Users\tschoening>certutil -v -dumpPFX Desktop\tschoening.pfx
[...]
Attribut[1]: 1.2.840.113549.1.9.20 (szOID_PKCS_12_FRIENDLY_NAME_ATTR)
Wert [1][0], Länge = 4a
CryptFormatObject: Keine integrierte Formatierungshilfe
2fb763d2-f1fa-4820-8caf-f73e011ee4d1
0000 1e 48 00 32 00 66 00 62 00 37 00 36 00 33 00 64 .H.2.f.b.7.6.3.d
0010 00 32 00 2d 00 66 00 31 00 66 00 61 00 2d 00 34 .2.-.f.1.f.a.-.4
0020 00 38 00 32 00 30 00 2d 00 38 00 63 00 61 00 66 .8.2.0.-.8.c.a.f
0030 00 2d 00 66 00 37 00 33 00 65 00 30 00 31 00 31 .-.f.7.3.e.0.1.1
0040 00 65 00 65 00 34 00 64 00 31 .e.e.4.d.1
0000: 1e 48 ; UNICODE_STRING (48 Bytes)
0002: 00 32 00 66 00 62 00 37 00 36 00 33 00 64 00 32 ; .2.f.b.7.6.3.d.2
0012: 00 2d 00 66 00 31 00 66 00 61 00 2d 00 34 00 38 ; .-.f.1.f.a.-.4.8
0022: 00 32 00 30 00 2d 00 38 00 63 00 61 00 66 00 2d ; .2.0.-.8.c.a.f.-
0032: 00 66 00 37 00 33 00 65 00 30 00 31 00 31 00 65 ; .f.7.3.e.0.1.1.e
0042: 00 65 00 34 00 64 00 31 ; .e.4.d.1
; "2fb763d2-f1fa-4820-8caf-f73e011ee4d1"
So, how does Windows calculate that alias? Is there any way to provide a custom alias during export?
The alias is generated from the key's unique identifier:
$CertObject = Get-ChildItem .\13CEF3D48F1287173401CE1B189C161F46585F1F
$rsaCert = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($CertObject)
$rsaCert.key.KeyName
{6E9844BC-51A1-408E-A421-2D53B253C8B4}
Obviously, the values will be different for you.
As far as I know, the only way to change it would be to use some third-party tool such as OpenSSL.