Applies to Windows 8 and Windows Server 2012

Table of Contents

  • Introduction
  • Requirements
  • Command Line or Scripts
  • Let older client computers to access the PFX
  • Make up one's mind the system set PFX password

Introduction

When exporting a PKCS#12 (PFX) digital certificate file that includes the certificates private key, a password is typically assigned to the file to protect the private key from compromise. Several situations could consequence in reduced security of a PFX file secured with a password, such equally:

  • The passwords selected may be of limited length or complexity.
  • Automation challenges, particularly considering scripts in which the password is stored in the script.
  • If a group of administrators require access to the same PFX, the password must be shared amongst them. Some added security considerations in this situation include:
    • The method by which the password is shared. How volition the password exist shared, e-mail, verbally, or some other method?
    • Authoritative grouping membership changes. What happens when an ambassador leaves the group?

A new feature available to Windows 8 and Windows Server 2012 is to utilize Active Directory Domain Services (AD DS) accounts to protect the individual keys contained within digital certificates in PKCS#12 (PFX) format. This is useful for the export, import, and sharing of digital certificates equally PFX files. For instance, a single PFX file could potentially be shared amongst multiple web servers in a web farm. Prior to Windows viii and Windows Server 2012 y'all were given the opportunity to provide a countersign when exporting a certificate as a PFX file. Windows 8 and Windows Server 2012 provide a new dialog box when exporting a certificate that allows you to secure the file to an Advertizing DS account, such as a grouping.


Return to top

Requirements

In that location are several requirements that must be in place for this feature to piece of work:

  • The digital document must exist exported from a Windows 8 or Windows Server 2012 domain fellow member.
  • The certificate client must exist joined to a domain with a Windows Server 2012 domain controller available.
  • The digital certificate must be exported in the PKCS#12 (PFX) file format

Annotation: There is not a specific Active Directory woods or domain schema level required for this feature. Still, you must have at to the lowest degree 1 Windows Server 2012 domain controller in the wood in order to utilize the option to protect the PFX to an AD DS account.

Command Line or Scripts

The export-pfxcertificate Windows® PowerShell cmdlet as well as the certutil command let y'all to secure a PKCS#12 (PFX) file format certificate. For instance, you can export a digital certificate using the -protectto parameter and specifying the account to which you lot want to protect the document. The post-obit screen capture illustrates the enumeration of the certificates in the LocalMachine store and then the export of a specific document from that store using the certificate thumbprint and the -protectto parameter to specify the web servers group of the CPANDL domain. The command that performs this action is every bit follows.

export-pfxcertificate -cert 89473A116CCAAAB0B05412D8C1DDDE3EA693BC33 -protectto "cpandl\web servers" -filepath "C:\Exported PFXs\SSLCert.pfx"

The equivalent certutil command is:
certutil -f -protectto "cpandl\web servers" -exportpfx My 89473A116CCAAAB0B05412D8C1DDDE3EA693BC33 "C:\Exported PFXs\SSLCert.pfx"

Annotation: Certutil defaults to the localmachine store. If needed, use the switch -user to specify the user store.

Return to top

Let older client computers to admission the PFX

At that place is actually a countersign created on the exported PFX file, fifty-fifty when the file is secured to an AD DS business relationship. This allows client computers prior to Windows eight and Windows Server 2012 to admission the file. Every bit specified in PKCS#12, a password is used to derive an encryption key that is and so used to encrypt the contents of the file. Regardless of the encryption algorithm is used, the encryption strength is partially dependent upon password force (length and complexity).

When a PFX file is protected using an AD DS group, there is still a countersign generated past the system. The arrangement creates a countersign based on a randomly generated 32-byte number which makes it a very potent password (the length of password in character is actually forty+ characters due to Base64 encoding of the random number). The organization and then encrypts the password using Windows 8 data protection APIs that allow protecting data to i or more security principals. Finally, the system adds the encrypted countersign to the PFX file.

When the PFX file is imported, the organization sees that the PFX file has an encrypted password included and tries to unprotect it using data protection APIs. If the user or computer account that is trying to import the PFX file is in the list of security principals configured during consign, the account is able to unprotect the password and gain admission to the PFX contents.

Y'all do not have to allow the organisation to set the countersign. You tin can both protect the PFX file to a group likewise as set up your own password. This may exist useful if you program to export the PFX file to a organization that will only support passwords of a specified length. Further, y'all are non required to secure the PFX file to an Advertising DS account; you could merely specify a password. However, if you want both secure the PFX file to an AD DS business relationship and specify your ain password, you can practise and then through the user interface or through the export-pfxcertificate cmdlet.

Return to top

Make up one's mind the organization set up PFX countersign

If you need to determine the password that the system has configured for an exported PFX, you can do and then by using the Display Password choice in the user interface during import. You can only display the password if you lot are using an account that was explicitly (or through group membership) granted permissions to the PFX file during document export.

The power to see the arrangement set password could be useful in cases where you demand to import the PFX into a organisation that does not support Advertisement DS account secured PFX files (for example, into client computers running operating systems prior to Windows 8 or Windows Server 2012).

Return to superlative