问题
I'm trying to automate the process of generating a certificate signing request and then importing the response from the CA on a Windows Server 2012 R2 server to use as a cert for a SSL binding in IIS. I'm able to generate the CSR which I then provide to the security team which then provides me with a response to then import but am having troubles getting it to import.
This server is in a workgroup. Thought I'd mention that so no AD enrollment policy.
Here's my process:
- Generate a CSR with certreq.exe on the server in question. An INF file is generated that looks something like this:
[Version] Signature = "$Windows NT$" [NewRequest] Subject = "C=US,S=California,L=City,O=Company,OU=IT,CN=hostname" Exportable = TRUE KeyLength = 2048 KeySpec = 1 KeyUsage = 0xa0 MachineKeySet = True ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 Silent = True SMIME = False RequestType = PKCS10
This INF file then gets turned into the CSR .req file by doing this:
certreq.exe -new "C:\inffile.inf" "C:\certreq.req"
The REQ file gets sent to the security team and they give me back a .CER file, which, when imported manually, actually adds three certificates from Digicert. The certificate I expect and what looks to be some intermediate CAs.
Here's what that looks like when imported via the MMC Certificates snapin.
If I import the certificate via the MMC like this it doesn't show up in the IIS manager under Server Certificates so I looked a little deeper. I tried to complete the certificate signing request via the the IIS manager like this and the cert shows up and I'm happy.
However, I can't use the GUI since I'm using a script.
I confirm that the request is in Certificate Enrollment Requests with the private key.
I confirm that the public key of the CSR and the p7b I got back provided are the same.
certutil -dump issuedcert.cer
certutil -dump certreq.req
PROBLEM: I exported the CSR from Certificate Enrollment Requests and looked at the public key. It was NOT the same as the one in issuedcert.cer. It looks like this is the problem but why?
I then try to use certreq.exe to accept the response and it doesn't work.
certreq.exe -accept -machine "C:\issuedcert.cer"
Almost done, but no. I continually receive this error message:
回答1:
This error indicates that certreq was unable to find related request object in the Certificate Enrollment Requests node in the certificate store.
In addition, I would suggest to check whether the public key in the certificate request match the one in the issued certificate. You can use certutil -dump file.req command to dump request file (there will be public key) and cerutil -dump cert.cer to dump issued certificate and compare public keys. Do the same for each object in the Certificate Enrollment Requests node in the certificate store (focused on Local Machine context) to find request object with matching public key.
回答2:
here is the function i've used in the past:
function AddCertificate(
[string] $MachineName,
[string] $CertString, #String to search for in the Certificate Store to get the correct Thumbprint
[string] $SiteName, #Sitename to bind the certificate to.
[string] $certname, #File name of the certificate
[string] $certPass, #Password for the certificate
[string] $certPath) #path on the machine where this script runs that contains the certificate path needs to not have a Trailing \
{
$Protocol = "https"
$destinationFolder = "c$\temp\pfx-files"
$servers = $MachineName
$session = New-PsSession –ComputerName $servers
$servers | foreach-Object{if(!(Test-Path -path ("\\$_\"+$destinationFolder))) {New-Item ("\\$_\"+$destinationFolder) -Type Directory}}
$servers | foreach-Object{copy-item -force -Path c:\temp\pfx-files\*.* -Destination ("\\$_\"+$destinationFolder)}
$certPath ="c:\temp\pfx-files" +"\"+$certname
Invoke-command -Session $session -ScriptBlock {param($certPass,$certPath) certutil -p $certPass -importpfx ($certPath )}
$servers | foreach-object {Remove-Item -Path (("\\$_\"+$destinationFolder) +"\*.pfx")}
Invoke-Command -session $session {Import-Module WebAdministration}
$isBound = Invoke-Command -session $session {Get-WebBinding }
if (!(Select-String -Pattern "https" -InputObject $isbound -quiet))
{
Invoke-command -Session $session -ScriptBlock {param([string] $S, [string] $Protocol)( New-WebBinding -Name $S -Protocol $Protocol -Port 443 -IPAddress "*" -SslFlags 0)} -ArgumentList $SiteName, $Protocol
Invoke-Command -session $session -ScriptBlock { param([string]$Certstring) $CertShop=Get-ChildItem -Path Cert:\LocalMachine\My | where-Object {$_.subject -like $CertString } | Select-Object -ExpandProperty Thumbprint}
Invoke-Command -Session $session -ScriptBlock {get-item -Path "cert:\localmachine\my\$certShop" | new-item -path IIS:\SslBindings\0.0.0.0!443}
}
Exit-PSSession
}
回答3:
Adam, try to rename your .cer to .p7b and try certreq -accept file.p7b.
Certreq seems look for the file extension to determine the file type. It supports p7b file for -accept according to the MS docs.
回答4:
The problem might be that DigiCert Root CA is not trusted in your windows 2012 system. Try to import it manually into the Trusted Root Authorities in LocalMachine store.
Then I would check if there is still a request in Certificate Enrollment Requests in LocalMachine store using MMC.
If there is then it should work fine to just import the given certificate to LocalMachine/My store (in MMC the name is Personal)
If there is not a request there then import certificate in LocalMachine/My store. Then run certutil -store my in cmd. It will go through all certificates in LocalMachine/My, display information about them and try to do encryption test. I assume that all encryption tests will fail. The important thing is to get index of your certificate (certificates begin with index 0). Find the number of the certificate and then use command
certutil -repairstore -csp "Microsoft RSA SChannel Cryptographic Provider" {index of the certificate}
This will try to repair the connection between certificate and private key. When you run certutil -store my again you should see encryption test passed.
来源:https://stackoverflow.com/questions/33129110/crypt-e-not-found-when-importing-certificate