0 
$ConfigContent = @"
; Request.inf
[Version]
Signature="`$Windows NT$"

[NewRequest]
Subject = "CN=$CN,C=ES,ST=Barcelona,L=Barcelona,O=$O"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "DNS=$CN&"
_continue_ = "DNS=testing.$CN&"
"@

    $ConfigContent | Out-File -FilePath "$CN.inf" -Encoding ASCII

    # Create a certificate request
    if (certreq -new -f "$CN.inf" "$CN.csr") {
        # Submit the request to a Certificate Authority
        # Define a regular expression pattern to match the ID
        $pattern = 'Id\. de solicitud: (\d+)'
        $commandOutput = certreq -submit -config "localhost\COMPANY-AD01-CA" "$CN.csr" "$CN.crt"
        # Use the Select-String cmdlet to find the first match in the output
        $match = $commandOutput | Select-String -Pattern $pattern | Select-Object -First 1
        if ($match) {
            $id = $match.Matches.Groups[1].Value
            # Accept the issued certificate
            certutil -config "localhost\COMPANY-AD01-CA" -resubmit $id
            certreq -config "localhost\COMPANY-AD01-CA" -q -f -retrieve $id "$CN.crt"
            Remove-Item -Path "$CN.inf", "$CN.csr", "$CN.rsp", "$CN.csr" -Force
        }
        else {
            Write-Host "Failed to submit the certificate request."
        }
    }
    else {
        Write-Host "Failed to create the certificate request."
    }

Using this I create a certificate, send it to the CA and accept it.

certreq -retrieve only gets me the certificate, not the key, how do I get the key or how do I use that certificate in apache?

Improve this question

1 Answer 1

Reset to default
0

You'd need to use either certutil -exportPFX or Export-PfxCertificate to export the private key – both give you a PKCS#12 format file (.pfx or .p12), which you can either use as-is for Apache Tomcat (or anything that uses "Java keystores"), or convert to a PKCS#8 format private key file for Apache httpd (or anything that uses "PEM" format keys).

Afterwards, you can delete the certificate and key from Windows.

For converting to PKCS#8 (PEM), I am not sure whether Windows has anything built-in, but the usual openssl tool is available for Windows as well:

# Extract certificates:
openssl pkcs12 -in Foo.pfx -out Foo.crt -nokeys

# Extract private key ("-nodes" to leave it unencrypted):
openssl pkcs12 -in Foo.pfx -out Foo.key -nocerts -nodes

Once you have the OpenSSL tools installed, however, it might be easier to just use openssl req for the task as it directly outputs a PKCS#8 private key that Apache accepts.

Improve this answer
7
  • For some reason Export-PfxCertificate won't export the file without Password or ProtectTo, I've created the certificate with MachineKeySet = TRUE and Exportable = TRUE and at no point do I set any password.
    – Daviid
    Commented Oct 10, 2023 at 10:25
  • The PKCS#12 (PFX) file format requires encryption; you can probably use a blank password but the format doesn't really have a "no encryption" mode.
    – grawity_u1686
    Commented Oct 10, 2023 at 10:36
  • Didn't work, Export-PfxCertificate requires a SecureString as password and that can't be empty. I'm trying certutil -exportPFX -p "" My 49 output.pfx NoRoot and it says CertUtil: -exportPFX error del comando: 0x80092004 (-2146885628 CRYPT_E_NOT_FOUND) but Get-ChildItem Cert:\LocalMachine\My shows that the certificate does exist
    – Daviid
    Commented Oct 10, 2023 at 10:47
  • Then specify "asdf" or whatever other temporary password you like – it's only needed until you convert from PFX to PKCS#8; once the conversion is done the PKCS#8 .key file can remain unencrypted as usual.
    – grawity_u1686
    Commented Oct 10, 2023 at 10:50
  • 1
    Just to clarify though, Apache httpd needs PKCS#8, whereas Apache Tomcat should be fine with PKCS#12 (PFX) directly, since it's the default Java format now. (As far as I know, in Java keystores everyone specifies some useless password like "apache"…)
    – grawity_u1686
    Commented Oct 10, 2023 at 10:59

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .