PKCS #12 1.0 Personal Information Exchange Syntax Standard Defines a file format commonly used to store private keys with accompanying public key certificates, protected with a password-based symmetric key. PFX is a predecessor to PKCS#12. This container format can contain multiple embedded objects, e.g. multiple certificates. Usually protected/encrypted with a password. PKCS #7 1.5 Cryptographic Message Syntax Standard See RFC 2315. Used to sign and/or encrypt messages under a PKI. Used also for certificate dissemination (for instance as a response to a PKCS#10 message). Formed the basis for S/MIME, which is as of 2009[update] based on RFC 3852, an updated Cryptographic Message Syntax Standard (CMS). Often used for single sign-on. First Step – Microsoft PKI – Active Directory Certificate Services (Role windows 2008)
Add role Active Directory Certificate Services on Server AD check role service : Certification authority Certification Athority Web Enrollment Choose entreprise CA choose Root CA choose Create a new private key Let default settings: cryptographic provider – RSA#Microsoft Software Key Storage Provider – 2048 Common name for the CA: (Domainename-Servername-CA) aurum-LORSRV102-CA Validity period . 5 years finish ——————————————————————– Control the good execution: go to active directory services – warning: you will find the description of the command: cmd prompt certutil -viewstore "ldap:///CN=aurum-LORSRV102-CA,CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=aurum,DC=com?cACertificate?base?objectClass=certificationAuthority" go to¦ administrative tools – Certification authority ——————————————————————- Step 2 : generate the wildcard certificate:
go to IIS Manager – menu (option) Server certificates wildcar certificate: "*.aurum.com"
To Generate and Submit the Certificate Signing Request (CSR): Click the Start menu and select Administrative Tools. Start Internet Services Manager and click the Server Name. In the center section, double click on the Server Certificates button in the Security section. From the Actions menu click Create Certificate Request. This will open the Request Certificate wizard. Enter your Distinguished Name field information. The following characters cannot be used: < > ~ ! @ # $ % ^ * / \ ( ) ?. This includes commas. Distinguished Name Fields: Organization: The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor’s name in the "Organization" field, and the DBA (doing business as) name in the "Organizational Unit" field. Organizational Unit: Optional. Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field. Common Name: The Common Name is the fully-qualified domain name – or URL – for which you plan to use your certificate, e.g., the area of your site you wish customers to connect to using SSL. For example, an SSL certificate issued for "www.yourcompanyname.com" will not be valid for "secure.yourcompanyname.com." If the Web address to be used for SSL is "secure.yourcompanyname.com," ensure that the common name submitted in the CSR is "secure.yourcompanyname.com." If you are requesting a Wildcard certificate, please add an asterisk (*) on the left side of the Common Name (e.g., "*.domainnamegoes.com" or "www*.domainnamegoeshere.com"). This will secure all subdomains of the Common Name. Country: The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered. State/Province: Name of state or province where your organization is located. Please enter the full name. Do not abbreviate. City/Locality: Name of the city in which your organization is registered/located. Please spell out the name of the city. Do not abbreviate. Click Next. In the Cryptographic Service Provider Properties window, select Microsoft RSA SChannel Cryptographic Provider; then select the bit length (2048 is the minimum). Click Next. Enter a path and file name for the CSR and click Finish. Open the generated CSR file; then, using a plain-text editor, such as Windows Notepad, copy and paste the CSR into our online enrollment form. Cryptographic provider: Microsoft RSA Schannel…. Bit length : 2048 name for certificate request: c:\wcert\certificate_request ————————————————————————- Step 3 : request the certificate go to site: http://aurum.com/certsrv/ or https://aurum.com/certsrv/ (with self signed certificate) Microsoft Active Directory Certificate Services — aurum-LORSRV102-CA request a certificate submit an a Or, submit an advanced certificate request. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. use the field: Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7 to put the txt of the previous request: —–BEGIN NEW CERTIFICATE REQUEST—– MIICsTCCAmsCAQAwZzELMAkGA1UEBhMCQ0gxETAPBgNVBAgMCGZyaWJvdXJnMQ8w DQYDVQQHDAZuZXlydXoxDjAMBgNVBAoMBWF1cnVtMQ4wDAYDVQQLDAVnZXZlcjEU MBIGA1UEAwwLKi5hdXJ1bS5jb20wTDANBgkqhkiG9w0BAQEFAAM7ADA4AjEA048l Mi098xBpiDrIAQAn6MEjDG6mFi5a2knJqtrZ2S8fvUGfCEIMTb3p3d1gIMLFAgMB AAGgggGtMBoGCisGAQQBgjcNAgMxDBYKNi4xLjc2MDAuMjBJBgkrBgEEAYI3FRQx PDA6AgEFDBNMT1JTUlYxMDIuYXVydW0uY29tDBNBVVJVTVxBZG1pbmlzdHJhdG9y DAtJbmV0TWdyLmV4ZTByBgorBgEEAYI3DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBz AG8AZgB0ACAAUgBTAEEAIABTAEMAaABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBn AHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByAwEAMIHPBgkqhkiG9w0BCQ4x gcEwgb4wDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUFBwMBMHgGCSqG SIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglg hkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUw BwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFKgNS31JFtJzQdr6LpkSz+aY NbrFMA0GCSqGSIb3DQEBBQUAAzEAn+nf0gZov77j5QuAINi5BVLI00v4aAuYBJAp Sv+zesF8gWwC2zA0Ga5i2Z5hpa8b —–END NEW CERTIFICATE REQUEST—– certificate template. web server download certificate chain: certnew.cer & certnew.p7b ————————————————————————
Step 4 : Import certificate : go to IIS manger ¦action¦ complete certificate request ¦ browse the c:\wcert\certnew.cer ———————————————————————– Step 5 : generate pkcs#12 format go to mmc console menu start¦ mmc menu file ¦ add sna-In ¦ certificates ¦ computer account ¦ Once the certificate has been issued and installed on the requesting computer, open the Certificates MMC focused on the local computer store, locate the issued certificate and then export it in PKCS12 format. I believe that you can use OpenSSL to convert the P12 to PEM if need be