Certificates

Certificates can be found with the .mmc certificates snapin

Export option with key to allow import to another computer

Find certificate authority:

certutil -config - -ping

Update Certificate on IIS server:

• import certificate to cert store
• open IIS go to default website / whatever site needs cert updating > edit bindings > 443 > select new certificate

In powershell to restart iis to pick up new certificate:

iisreset -noforce

Update cert on ADFS server:

• Import certificate to cert store

Run the following powershell command:

Set-ADFSsslCertificate -Member <server name> -Thumbprint <New cert thumbprint>

• in ADFS management > service > Certificates > Renew Service Communications certificate with the new certificate

Update on ADFS Proxy server:

• import certificate

Check certificate bindings for adfs proxy:

Get-WebApplicationProxySslCertificate

Apply new certificate:

Set-WebApplicationProxySslCertificate -Thumbprint <New cert Thumbprint>

If you dont want to worry about copy pasting the thumbprint of the certificates you can access them in the cert store in powershell:

cd cert:\LocalMachine\My
$cert=(Get-ChildItem | Select FriendlyName,Thumbprint | Where-Object {$_.FriendlyName -like "Certificate friendlyname"})

Then you can just use $cert.Thumbprint instead of copying the thumbrint to the set command or getting it from the cert store cert properties and removing all the spaces.

if you need cert in .crt format with key for ssl you can use open ssl to extract the keys.

download from here https://slproweb.com/products/Win32OpenSSL.html

When installing make sure to add to environment variables and PATH to use easily from the command line - go to sysdm.cpl or run the following commands for a one time use:

set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg 
set Path=%Path%;C:\Program Files\OpenSSL-Win64\bin

Use the following command to extract when running openssl as admin:

openssl pkcs12 -in C:\PathToThePFXfile\myPFXfileName.pfx -out certificate.txt -nodes

This will extract the cert to a text file where you can grab the public and private keys and save them in text as a .crt and .key file.

Extract the key to encrypted key

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]

Extract unencrypted key

openssl rsa -in [keyfile-encrypted.key] -out [keyfile-decrypted.key]

Extract Just certificate

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]

Certificates will need to be converted for use in windows IIS as windows prefers .pfx format

Use the following command

openssl pkcs12 -export -in <certname>.pem -inkey <privatekey>.pem -out <Certificate>.pfx

Check certificates bound to ports in netsh:

netsh http show sslcert

Add certificate to port:

netsh http add sslcert ipport:0.0.0.0:443 certhash=<thumbprint of cert without spaces> appid='{EDE3C891-306C-40fe-BAD4-895B236A1CC8}'

Delete sslcert

netsh http delete sslcert ipport=0.0.0.0:443

Extract private key:

openssl pkcs12 -in filetogetkeyextractedfrom.pfx -nocerts -out exportedprivatekey.key

Extract the public key if required:

openssl pkcs12 -in filetogetpublickeyextractedfrom.pfx -clcerts -nokeys -out extractedpublickey.crt

Create new certificate from .crt (public key) and .key (Private key) file

openssl pkcs12 -export -out newcerttocreate.pfx -inkey extractedprivatekey.key -in certfilewithpublickey.crt

Create certificate from lets encrypt output for windows vms

Use the certbot on a server that can receive inbound for the DNS that you want the cert for on ports 80 and 443:

certbot certonly --standalone

Then use openssl with the generated cert files:

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

Use the following command to check certificate status:

netsh http show sslcert

unbind then bind the new certificate with the cert thumbprint:

netsh http delete sslcert ipport=<ip address and port> #eg 0.0.0.0:443

netsh http add sslcert ipport=<ip address and port> certhash=<certificate thumbprint> appid='<app id in guid form {GUID}>'