I am trying to import a PFX using PowerShell, that has been created by OpenSSL from a cer and key file (the key was generated by OpenSSL along with a CSR, which was submitted to internal AD CA to generate the cer)
When viewing cert info in OpenSSL, I can see the PFX contains just a single cert and a private key, which is what I expect
If I run the below command, the cert is imported into intermediate certificate authorities, rather than the machine personal store as I have specified:
Import-PfxCertificate -FilePath $SharedPFXPath -Password (ConvertTo-SecureString -String $PFXPassword -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\My -Exportable
What could be the reason the Import-PfxCertificate
command might be ignoring my cert store location?
EDIT: Just for some additional info, I thought I'd detail the commands used to generate the source cert and key files etc:
Start by creating a key and CSR
openssl.exe genrsa -out $KeyFilePath 2048
openssl.exe req -new -key $KeyFilePath -out $CSROutputPath -config $ConfigFilePath
The CSR config file contains this (actual DN values removed):
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = COUNTRY CODE
ST = COUNTY/STATE
L = TOWN
O = ORG
OU = OU
CN = COMMON NAME
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = SAN
Then I submit the CSR to AD CA, and save the BASE64 encoded cert. I use this and the key file to create the PFX
openssl.exe pkcs12 -export -in $CertPath -inkey $KeyFilePath -out $PFXPath -passout pass:$PFXPassword -nomac
I had to add -nomac
to my PFX command, as otherwise I got an incorrect password error every time I tried to manually import the PFX into the cert store. Not sure if this would contribute to my issue, or if some of my earlier commands might be causing me some problems?
This issue is linked to similar issues mentioned here
I am using OpenSSL 3.0 on Windows to generate my certs and PFXs etc. and whilst I had the same "Incorrect Password" issue as this other question, which was resolved by adding
-nomac
, I had not added the other options.After adding
-certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES
to my PFX export command, I no longer have any issues and my cert is imported into my specified store