All geek questions in one place

CRYPT_E_NOT_FOUND when importing a certificate

I am trying to automate the process of creating a certificate signing request and then import the response from the CA on a Windows Server 2012 R2 server to use as a certificate for SSL binding in IIS. I can create a CSR, which I then provide to the security team, which then gives me a response to the import, but I have problems importing it.

This server is in a workgroup. I think I would mention that there is no AD registration policy.

Here is my process:

  • Create a CSR using certreq.exe on the appropriate server. An INF file is created that looks something like this:
[Version]
Signature = "$Windows NT$"
[NewRequest]
Subject = "C=US,S=California,L=City,O=Company,OU=IT,CN=hostname"
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xa0
MachineKeySet = True
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
Silent = True
SMIME = False
RequestType = PKCS10

This INF file is then converted to a CSR.req file, doing the following:

certreq.exe -new "C:\inffile.inf" "C:\certreq.req"

REQ , .CER, Digicert. , , , .

snapin MMC.

enter image description here

MMC, , IIS , . IIS, , , .

enter image description here

, script.

, .

enter image description here

, CSR p7b, , .

certutil -dump issuedcert.cer
certutil -dump certreq.req

: CSR . , . , , ?

certreq.exe, , .

certreq.exe -accept -machine "C:\issuedcert.cer"

, . :

enter image description here

+4
4

, certreq node .

, , . certutil -dump file.req ( ) cerutil -dump cert.cer, . node ( ), .

+1

, :

function AddCertificate(
    [string] $MachineName,
    [string] $CertString, #String to search for in the Certificate Store to get the correct Thumbprint
    [string] $SiteName,   #Sitename to bind the certificate to.
    [string] $certname,   #File name of the certificate
    [string] $certPass,   #Password for the certificate
    [string] $certPath)   #path on the machine where this script runs that contains the certificate path needs to not have a Trailing \
{
    $Protocol = "https"
    $destinationFolder = "c$\temp\pfx-files"
    $servers = $MachineName
    $session = New-PsSession โ€“ComputerName $servers
    $servers | foreach-Object{if(!(Test-Path -path ("\\$_\"+$destinationFolder))) {New-Item ("\\$_\"+$destinationFolder) -Type Directory}}
    $servers | foreach-Object{copy-item -force -Path c:\temp\pfx-files\*.* -Destination ("\\$_\"+$destinationFolder)}
    $certPath ="c:\temp\pfx-files" +"\"+$certname
    Invoke-command -Session $session -ScriptBlock {param($certPass,$certPath) certutil -p $certPass -importpfx ($certPath )}
    $servers | foreach-object {Remove-Item -Path (("\\$_\"+$destinationFolder) +"\*.pfx")}
    Invoke-Command -session $session {Import-Module WebAdministration}
    $isBound = Invoke-Command -session $session {Get-WebBinding }
    if (!(Select-String -Pattern "https" -InputObject $isbound -quiet)) 
    {
        Invoke-command -Session $session -ScriptBlock {param([string] $S, [string] $Protocol)( New-WebBinding -Name $S -Protocol $Protocol -Port 443 -IPAddress "*" -SslFlags 0)} -ArgumentList $SiteName, $Protocol
        Invoke-Command -session $session -ScriptBlock { param([string]$Certstring) $CertShop=Get-ChildItem -Path Cert:\LocalMachine\My | where-Object {$_.subject -like $CertString } | Select-Object -ExpandProperty Thumbprint}
        Invoke-Command -Session $session -ScriptBlock {get-item -Path "cert:\localmachine\my\$certShop" | new-item -path IIS:\SslBindings\0.0.0.0!443}
    }
    Exit-PSSession
}
0

, .cer7.p7b certreq -accept file.p7b.

Certreq, , . p7b -accept MS.

0

, DigiCert Root CA Windows 2012. LocalMachine.

, LocalMachine MMC.

, , LocalMachine/My store ( MMC )

, LocalMachine/My store. certutil -store my cmd. LocalMachine/My, . , . , ( 0). ,

certutil -repairstore -csp "Microsoft RSA SChannel Cryptographic Provider" {index of the certificate}

. certutil -store my .

0

Source: https://habr.com/ru/post/1611634/

More articles:


All Articles