Summary: Thomas Rayner, Microsoft Cloud & Datacenter Management MVP, shows how to import a certificate into a KSP and bring it into the certificate store.
Hello! I’m Thomas Rayner, a proud Cloud & Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. You can find me on Twitter (@MrThomasRayner) or on my blog, Working Sysadmin: Figuring stuff out at work.
I recently had the chance to work with Microsoft PFE, Mike MacGillivray, on an upgrade of some Windows certification authorities, and I want to share some information about it with you. This script has only been tested on Windows Server 2012 and later.
Note This is a five-part series that includes the following posts:
- Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 1
Explore why you may need to perform this work, configure logging, and set up variables.
- Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 2
Back up your certification authority (CA) and test the script.
- Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 3
Delete the certificate and crypto provider so they can be rebuilt as a KSP and SHA-256 solution.
- Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 4
Import keys and certificate into a KSP.
- Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 5
Modify the registry for SHA-256.
Bring it back, please
Yesterday we deleted some important items. Today we’re bringing them back in a happier, more future-proof way. There are only three steps today, but they’re pretty important. The first step is to restore the certification authority (CA) certificate and keys into KSP:
cmd.exe /c "certutil -p $Password -csp `"Microsoft Software Key Storage Provider`" -importpfx `"$("$Drivename\$Foldername\$CAName.p12")`""
Add-LogEntry $Logpath 'Imported CA cert and keys into KSP'
This is a certutil command to restore the PFX we backed up in Part 2 into a Microsoft Software Key Storage Provider. I’m using the –p parameter to pass the password we used to perform the backup.
Now that I’ve restored into KSP, I can export the key from there so I can import the key itself:
cmd.exe /c "certutil -exportpfx -p $Password My $("$CAName") `"$("$Drivename\$Foldername\NewCAKeys.p12")`""
Add-LogEntry $Logpath 'Exported keys so they can be installed on the CA'
Using certutil again, I’m exporting a PFX that is protected by the same password to NewCAKeys.p12 in my working directory. I can use certutil again to restore the key into the CA.
cmd.exe /c "certutil -p $Password -restorekey `"$("$Drivename\$Foldername\NewCAKeys.p12")`""
Add-LogEntry $Logpath 'Restored keys into CA'
I’m going to wrap this in a Try/Catch block and add more logging:
Almost done! Now that I’ve got you operating a KSP instead of a CSP, tomorrow, I’m going to show you how to move from SHA-1 to SHA-256.
If you are in a big hurry and want the full script, you can find it on my blog: Upgrade Windows Certification Authority from CSP to KSP and from SHA-1 to SHA-256. I’d sincerely recommend reading all of the posts in this series first, though, so you understand what it is you’re running.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at firstname.lastname@example.org, or post your questions on the Official Scripting Guys Forum. Also check out my Microsoft Operations Management Suite Blog. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy