Export installed certificate and private key from a command line remotely in Windows using something besides the certmgr.MSC tool

I need to be able to remotely export an installed computer certificate with the full certificate chain and private keys on a Windows server. The cert is used for IIS, and I want to use it for an apache instance running on the same server.

I know how to to do this manually with the certmgr.MSC mmc snap in tool, but how can this be done from a command line or from a remote machine on the same domain?

I also know how to view just the certificate with openssl s-client. Can that be used to save both the certificate and private key for importing to a Java keystore file?

Certmgr via RDP is too slow for what I need. I need a scripting solution.

My environment is all Windows Server 2008 R2. PowerShell remoting is not on, but I can get it on.

I have confirmed that I cannot use the PowerShell Export-PfxCertificate, because my servers are not new enough...

So, if I can use PowerShell to get the thumbprint of the certificate I want, I can then feed it to the "certutil -exportpfx" command. I have confirmed that will work.

How do I dir the certificate store like, "dir cert:\localmachine\my | Where-Object { $_.hasPrivateKey } | " AND then feed that to the certutil export with the thumbprint?

OR, could I do the dir first and tell it to only print out the thumbprint and not the whole thing? Then save that to a file, and read the file a make the certutil command?

user1991791

Posted 2015-03-13T11:45:49.053

Reputation: 75

Answers

See Stack Overflow question Export certificate from IIS using PowerShell.

If the answer works for you, then you can run PowerShell code on remote server using PSRemoting (Enter-PSSession or Invoke-Command) or psexec.

Does anyone know how to dir the cert store like, "dir cert:\localmachine\my | Where-Object { $_.hasPrivateKey } | " AND then feed that to the certutil export with the thumbprint?

Try this, works for me:

Get-ChildItem -Path 'Cert:\localmachine\My' |
    Where-Object { $_.hasPrivateKey } |
        Foreach-Object {
            &certutil.exe @('-exportpfx', '-p', 'secret',  $_.Thumbprint, "$($_.Subject).pfx")
         }

Beware, that sometimes you wouldn't be able to use Subject as file name, due to invalid foreign-language characters in the Unicode.

beatcracker

Posted 2015-03-13T11:45:49.053

Reputation: 2 334

That is pretty darn close, but for my specific purpose it actually doesn't work. When I first do PS Remote connection with Enter-PSSession, and then run the certutil -exportpfx THAT works. I get a pfx file that when I import it with with Java keytool to a keystore file, the application that uses it is happy.. When I use that PS code I do get a valid pfx file, but it is missing something... The file is a little smaller and when I import it to the keystore file, it mostly works, BUT the application says that the certificate is Pending Approval. – user1991791 – 2015-03-13T15:20:09.663

I think that PS command is not getting the whole cert chain? The certutil command works, but its not nearly as elegant as this PS command. The PS command will both find the cert I need and export it, while with the certutil I have to first find the cert by its crazy long guid name – user1991791 – 2015-03-13T15:24:21.173

So, I just need to figure out how to run that PS command with ChainOption -Force and Extended Properties.. https://technet.microsoft.com/en-us/library/hh848635.aspx

– user1991791 – 2015-03-13T15:29:05.240

I'm not sure that Export-PfxCertificate will work for you, because this page says it applies to: Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2. And you're using 2008 R2. – beatcracker – 2015-03-13T15:31:32.220

Is is possible to feed the first half the cert store dir Foreach-object to the certutil command? – user1991791 – 2015-03-13T15:52:31.457

Yes, I've updated my answer, see if it works for you. – beatcracker – 2015-03-13T16:03:44.553

Oh snap, I have a good feeling about that.. How would I save the pfx to the root of d:\ ? like "d:$($_.Subject).pfx") – user1991791 – 2015-03-13T16:12:37.237

Yep, $($_.Subject) is certificate's subject, anything else around it in quotes is just strings to form a path. So you can do: "d:\my\favorite\folder\$($_.Subject).pfx". – beatcracker – 2015-03-13T16:21:15.123

Ohh heck yeah. That works perfectly. The cert is now recognized as signed and fully valid when I import to the Java keystore file. THANK YOU! THANK YOU! THANK YOU! YOU ROCK! HAVE A GREAT DAY! – user1991791 – 2015-03-13T16:32:10.650

Do this in PowerShell to export the cert from a long list of Windows servers remotely. $servers is a list of servers.

foreach ($server in $servers){
Invoke-command $server {
Get-ChildItem -Path 'Cert:\localmachine\My' |
Where-Object { $_.hasPrivateKey } |
Foreach-Object {&certutil.exe @('-exportpfx', '-f', '-p','your_password',$_.Thumbprint, "d:\$($_.Subject).pfx")}
    }
    Move-Item -Path \\$server\d$\*.pfx -Destination C:\$server.pfx -Force
}

Use Java keytool.exe to turn each pfx file in to a JKS keystore file. Keytool is part of every Java installation. You can do this on your local machine or one the remote server if it already has Java installed.

keytool.exe -importkeystore -srckeystore C:\server1.pfx -destkeystore C:\server1.jks -srcstoretype pkcs12 -deststoretype JKS -srcstorepass your_password -deststorepass your_password

You can also run this with Powershell ($server is the name of the server) ($pwd is a variable holding the password we use to encrypt the file):

foreach ($server in $servers){
& "C:\Program Files\Java\jre6\bin\keytool.exe" -importkeystore -srckeystore C:\$server.pfx -destkeystore C:\$server.jks -srcstoretype pkcs12 -deststoretype JKS -srcstorepass $pwd -deststorepass $pwd

}

user1991791

Posted 2015-03-13T11:45:49.053

Reputation: 75

-2

Open mmc as administrator
Menu file -> Add/Remove Snap-in (Ctrl + M)
Select the Certificates snap-in in the left pane and hit Add
Select Computer account (third option)
Choose Another computer and enter the name of the remote system you want to manage the certificates of
Complete the dialog and hit OK

The names could be slightly different. My OS is German, so I roughly translated everything.

megamorf

Posted 2015-03-13T11:45:49.053

Reputation: 1 494

Thanks. The problems with that are its not command line, its very slow, keyboard automation is tricky because its slow, and when you export remotely in the console it won't let you include the private keys. – user1991791 – 2015-03-13T12:13:21.063

for command line automation you need to tell us more about your environment. Are you using server 2012 (R2)? Is powershell remoting enabled? – megamorf – 2015-03-13T12:14:53.633

My environment is all Windows Server 2008 R2. Powershell remoting might be on? How do I test? – user1991791 – 2015-03-13T13:31:54.600

Nevermind, I am testing now to determine if I will be able to use Enter-PSSession Remoting.. – user1991791 – 2015-03-13T13:46:33.533

open a powershell console wtih admin permissions and enter the following command:

enter-pssession -computername "remoteserver"

where remoteserver is a system you're trying to connect to via powershell remoting. If you receive an error saying that the connection failed it's disabled, if your prompt changes and includes the remote server name it's enabled. – megamorf – 2015-03-13T13:47:49.083

OK, it is not enabled BUT I can enable it. So, yes assume it can be used.. – user1991791 – 2015-03-13T13:54:01.193