How to create a .pfx file from cert request?   

Hi. I have written code that can generate a cert request, send it to
our CA, and get the certificate in blob form.  Then it is possible to
install the certificate (including chain) on requesting computer by
using:

: hr = pEnroll4->acceptResponseBlob (&certBlob);

After that, I can export it into a .pfx file from IE or etc, and have
a file I can use to install the cert on another pc.

I want to skip the step of installing on my computer and then
exporting, by writing the .pfx file directly, if possible.

How to do this?  I read somewhere that all one has to do is write the
contents of the blob to disk, with pfx extension.  But this does not
work as the import wizard will reject it.

Can someone tell me what steps I need to make to write the file
directly?

Thank you, Russ

date: Fri, 11 Jul 2008 17:57:00 -0400   author:   Russ

Re: How to create a .pfx file from cert request?   

Russ wrote:

> : hr = pEnroll4->acceptResponseBlob (&certBlob);
> 
> After that, I can export it into a .pfx file from IE or etc, and have
> a file I can use to install the cert on another pc.
> 
You accept the response and then call the createPFX method on the ICEnroll4.

If you don't want to "really" import it to your store during the accept, 
then you can create a temporary store via CertOpenStore using 
CERT_STORE_PROV_MEMORY, and set the icenroll4 to use that one by 
manipulating the "MyStore*" members.  Then it imports into your memory 
store, you createPFX it, and then close the mem store into oblivion :)

date: Fri, 11 Jul 2008 19:16:21 -0400   author:   ferrix

Re: How to create a .pfx file from cert request?   

Thanks Ferrix. Your information seems to be what I need but I have run
into another problem.  A few hours research did not reveal an answer
so maybe you or someone here can help.

I decided not to use the temporary store technique until after making
it work with the normal (personal) store.  So I did this:

: hr = pEnroll4->acceptResponseBlob (&certBlob);
: WCHAR	pw [] = L"pass";
: hr = pEnroll4->createFilePFXWStr (pw, L"c:/TestCer.pfx");

acceptResponseBlob returns ok and the certificate is installed.
createFilePFXWStr returns error:

: 0x8009000b Key not valid for use in specified state.


Thanks for any insight.

Regards, Russ



On Fri, 11 Jul 2008 19:16:21 -0400, ferrix 
wrote:

>Russ wrote:
>
>> : hr = pEnroll4->acceptResponseBlob (&certBlob);
>> 
>> After that, I can export it into a .pfx file from IE or etc, and have
>> a file I can use to install the cert on another pc.
>> 
>You accept the response and then call the createPFX method on the ICEnroll4.
>
>If you don't want to "really" import it to your store during the accept, 
>then you can create a temporary store via CertOpenStore using 
>CERT_STORE_PROV_MEMORY, and set the icenroll4 to use that one by 
>manipulating the "MyStore*" members.  Then it imports into your memory 
>store, you createPFX it, and then close the mem store into oblivion :)

date: Sun, 13 Jul 2008 06:14:51 -0400   author:   Russ

Re: How to create a .pfx file from cert request?   

Russ wrote:

> acceptResponseBlob returns ok and the certificate is installed.
> createFilePFXWStr returns error:
> 
> : 0x8009000b Key not valid for use in specified state.
> 
> 
> Thanks for any insight.
> 

Maybe the certificate's private key is not marked to be exportable?  I 
don't have access to my source code at the moment, so I can't find how I 
did that.  But that's what it sounds like to me.  The error 
unfortunately is a very general "it failed" message.

date: Mon, 14 Jul 2008 09:29:50 -0400   author:   ferrix

Re: How to create a .pfx file from cert request?   

Hi Russ,

For createFilePFXWStr to succeed, you must do two things : 

  1- Ensure that the private key associated with the certificate was 
generate as exportable by using the flag CRYPT_EXPORTABLE in CryptGenKey.
  2- place the call pEnroll4->put_GenKeyFlags(CRYPT_EXPORTABLE) before the 
createFilePFXWStr one.

The second point is the trick here. The CEnroll COM object is "naive" and it 
relies on its internal GenKeyFlags to see if it can perform 
createFilePFXWStr. If you don't set this flag and even if the key is 
exportable, the Pfx export will fail.

I hope this will help.
Cheers,
-- 
Mounir IDRASSI
IDRIX
http://www.idrix.fr

to reach : mounir_idrix_fr (replace the underscores with the at and dot 
characters respectively)


"ferrix" wrote:

> Russ wrote:
> 
> > acceptResponseBlob returns ok and the certificate is installed.
> > createFilePFXWStr returns error:
> > 
> > : 0x8009000b Key not valid for use in specified state.
> > 
> > 
> > Thanks for any insight.
> > 
> 
> Maybe the certificate's private key is not marked to be exportable?  I 
> don't have access to my source code at the moment, so I can't find how I 
> did that.  But that's what it sounds like to me.  The error 
> unfortunately is a very general "it failed" message.
>

date: Mon, 14 Jul 2008 10:44:04 -0700   author:   Mounir IDRASSI am

Re: How to create a .pfx file from cert request?   

Mounir, thank you.  That did the trick.  It works perfectly now.

Thanks again,
Russ

On Mon, 14 Jul 2008 10:44:04 -0700, Mounir IDRASSI
<moonidra@newsgroups.nospam> wrote:

>Hi Russ,
>
>For createFilePFXWStr to succeed, you must do two things : 
>
>  1- Ensure that the private key associated with the certificate was 
>generate as exportable by using the flag CRYPT_EXPORTABLE in CryptGenKey.
>  2- place the call pEnroll4->put_GenKeyFlags(CRYPT_EXPORTABLE) before the 
>createFilePFXWStr one.
>
>The second point is the trick here. The CEnroll COM object is "naive" and it 
>relies on its internal GenKeyFlags to see if it can perform 
>createFilePFXWStr. If you don't set this flag and even if the key is 
>exportable, the Pfx export will fail.
>
>I hope this will help.
>Cheers,

date: Tue, 15 Jul 2008 19:28:54 -0400   author:   Russ