No edit summary |
No edit summary |
||
Line 104: | Line 104: | ||
</syntaxhighlight>Then use openssl with the generated cert files:<syntaxhighlight lang="powershell"> | </syntaxhighlight>Then use openssl with the generated cert files:<syntaxhighlight lang="powershell"> | ||
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem | openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem | ||
</syntaxhighlight> | |||
== Bind certificates in netsh == | |||
Use the following command to check certificate status:<syntaxhighlight lang="powershell"> | |||
netsh http show sslcert | |||
</syntaxhighlight>unbind then bind the new certificate with the cert thumbprint:<syntaxhighlight lang="powershell"> | |||
netsh http delete sslcert ipport=<ip address and port> #eg 0.0.0.0:443 | |||
netsh http add sslcert ipport=<ip address and port> certhash=<certificate thumbprint> appid='<app id in guid form {GUID}>' | |||
</syntaxhighlight> | </syntaxhighlight> |
Latest revision as of 12:26, 18 April 2024
Certificates
Certificates can be found with the .mmc certificates snapin
Export option with key to allow import to another computer
Find certificate authority:
certutil -config - -ping
Update Certificates
Update Certificate on IIS server:
- import certificate to cert store
- open IIS go to default website / whatever site needs cert updating > edit bindings > 443 > select new certificate
In powershell to restart iis to pick up new certificate:
iisreset -noforce
Update cert on ADFS server:
- Import certificate to cert store
Run the following powershell command:
Set-ADFSsslCertificate -Member <server name> -Thumbprint <New cert thumbprint>
- in ADFS management > service > Certificates > Renew Service Communications certificate with the new certificate
Update on ADFS Proxy server:
- import certificate
Check certificate bindings for adfs proxy:
Get-WebApplicationProxySslCertificate
Apply new certificate:
Set-WebApplicationProxySslCertificate -Thumbprint <New cert Thumbprint>
If you dont want to worry about copy pasting the thumbprint of the certificates you can access them in the cert store in powershell:
cd cert:\LocalMachine\My
$cert=(Get-ChildItem | Select FriendlyName,Thumbprint | Where-Object {$_.FriendlyName -like "Certificate friendlyname"})
Then you can just use $cert.Thumbprint instead of copying the thumbrint to the set command or getting it from the cert store cert properties and removing all the spaces.
Extract .crt
if you need cert in .crt format with key for ssl you can use open ssl to extract the keys.
download from here https://slproweb.com/products/Win32OpenSSL.html
When installing make sure to add to environment variables and PATH to use easily from the command line - go to sysdm.cpl or run the following commands for a one time use:
set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg
set Path=%Path%;C:\Program Files\OpenSSL-Win64\bin
Use the following command to extract when running openssl as admin:
openssl pkcs12 -in C:\PathToThePFXfile\myPFXfileName.pfx -out certificate.txt -nodes
This will extract the cert to a text file where you can grab the public and private keys and save them in text as a .crt and .key file.
Extract the key to encrypted key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
Extract unencrypted key
openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]
Extract Just certificate
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
Convert From .pem to pfx
Certificates will need to be converted for use in windows IIS as windows prefers .pfx format
Use the following command
openssl pkcs12 -export -in <certname>.pem -inkey <privatekey>.pem -out <Certificate>.pfx
SSL Certificates netsh
Check certificates bound to ports in netsh:
netsh http show sslcert
Add certificate to port:
netsh http add sslcert ipport:0.0.0.0:443 certhash=<thumbprint of cert without spaces> appid='{EDE3C891-306C-40fe-BAD4-895B236A1CC8}'
Delete sslcert
netsh http delete sslcert ipport=0.0.0.0:443
Extract Private key from pfx and create new cert
Extract private key:
openssl pkcs12 -in filetogetkeyextractedfrom.pfx -nocerts -out exportedprivatekey.key
Extract the public key if required:
openssl pkcs12 -in filetogetpublickeyextractedfrom.pfx -clcerts -nokeys -out extractedpublickey.crt
Create new certificate from .crt (public key) and .key (Private key) file
openssl pkcs12 -export -out newcerttocreate.pfx -inkey extractedprivatekey.key -in certfilewithpublickey.crt
Create certificate from lets encrypt output for windows vms
Use the certbot on a server that can receive inbound for the DNS that you want the cert for on ports 80 and 443:
certbot certonly --standalone
Then use openssl with the generated cert files:
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
Bind certificates in netsh
Use the following command to check certificate status:
netsh http show sslcert
unbind then bind the new certificate with the cert thumbprint:
netsh http delete sslcert ipport=<ip address and port> #eg 0.0.0.0:443
netsh http add sslcert ipport=<ip address and port> certhash=<certificate thumbprint> appid='<app id in guid form {GUID}>'