Topic: [SOLVED] problem (AGAIN) with .PFX certificate

[Jáder]

I have problems again importing a .PFX certificate.
It just happens every year... and just for Chrome / Windows10 (Chrome uses Windows structures to store certifcates ).

What happens: it refuses to import or complain about corrupted profile (not real!).
Note the exact same certificate and password are fine to import on Firefox, and any test site will validate the certificate, if you acess it on Firefox. But I need this on Chrome/Win10

Any ideas ?

At least to me appears like if a criptographic part made by Win servers (maybe a police like shown at https://learn.microsoft.com/en-us/mem/configmgr/mdm/deploy-use/create-pfx-certificate-profiles is missing on SME server side!)

Anyone understand more about certificates and can point me in the right direction ?
(I'm guessing my fait is a long night searching on Google!)

[Jáder]

Hi JEan Philippe

HEre on this thread about same problem several years ago, you said you could help:

https://forums.koozali.org/index.php?action=post;quote=277231;topic=53410.0;last_msg=278027

I' can do it by myself, if you teach me how to deal with each key (registry key?) and keep you free to your "main job" here = make SME better!

[Jean-Philippe Pialasse]

we are still missing some infos, and start to get some more from your new post

from where comes the pfx certificate?
have you tried your last time importe to firefox and then export as p12 and import to chrome?


pfx is the older M$ extension of the p12 files.  From my recent experience p12 extension can use variety of content and not all versions are accepted everywhere. 
so knowing the origin, digging what what the purpose of the content (vpn, signature…) and what version/ object  was used pkcs 8 and so on


see https://en.wikipedia.org/wiki/PKCS_12?wprov=sfti1

[Jáder]

It was a nightmare, more than 8 hours working. It was a problem for several years, and now I found out a howto I hope to help someone else.
I'm not sure why Win10 has problems with certificates when user is logged in domain, but it was a problem to me EVERY SINGLE YEAR on SSL renew!

The PFX is easy to import on Firefox and works fine every single time, but in Chrome and Win10 no!!
So you must use CERTUTIL on Win CMD to diagnose and import certificate. Below is a howto in TXT


1 ) open  CMD and run:
 

Code: [Select]

Certutil -store my
Find out your certificate (seach and take note of fingerprint) for info like

Code: [Select]


================ Certificado n ================
Número de Série: 50f6b16ab1c50e91
Emissor: CN=AC SAFEWEB RFB v5, OU=Secretaria da Receita Federal do Brasil - RFB, O=ICP-Brasil, C=BR
 NotBefore: 10/11/2022 15:37
 NotAfter: 10/11/2023 15:37
Requerente: CN=XXX
Certificado não raiz
Hash Cert(sha1): 391XXX...XXX79d22cbd
  Contêiner da chave = XXXXX867a-3f5d
  Nome de contêiner exclusivo: 3558b16e85bee484bf7e3ed7aa5c17c8_4a703830-462a-453c-a46f-a1fca6b84967
  Provider = Microsoft Strong Cryptographic Provider
Êxito no teste de criptografia
CertUtil: -store : comando concluído com êxito.


The important is show SUCCESS on criptografy test
If have no success, remove from PERSONAL TAB all old version, old certificates and trash using CERTMGR aplication.

Now open ANOTHER CMD as ADMIN, e use CERTUTIL to import the new SSL cert using something like:

Code: [Select]

certutil -f -p PASSWORD -importpfx CERTIFICATE.PFX
Run again the command certutil -store my to verify SUCESS on criptografy
and if it's ok, close the ADMIN  CMD
 
and now on USER CMD (a normal one!) run this command

Code: [Select]

certutil -viewstore my
It will start an app  to show certificates, run down to choose your certificate and DO NOT PRESS OK button.
Choose the option to show details, it will show info and a button to INSTALL certificates.
(Yes I know, You already have it installed... but it do not work, believe me!)

Now choose to install TWICE (on LOCAL USER and MACHINE) allways on PERSONAL space
and try again the Chrome site verification !!

[Jean-Philippe Pialasse]

Let’s encrypt ?

[Jáder]

Let’s encrypt ?

Nope! A paid certificate used to authenticate people.
It was issue by a very popular AC in Brazil = SAFEWEB.
I`m not sure what cause this error but now I must be a howto for anyone who suffer from something similar.
I spend thousand hours installing certificates who should be "just two clicks" ... at least 7 years of problems to install certificates.

[Jean-Philippe Pialasse]

There is for sure a way to do that using a netlogon script.

Chrome is designed to respect some admin policy and preven user to change parameters.  You should seek this way and design a logon script deleteting all
old cert and importing the current valid one

[Jáder]

There is for sure a way to do that using a netlogon script.

Chrome is designed to respect some admin policy and preven user to change parameters.  You should seek this way and design a logon script deleteting all
old cert and importing the current valid one

I`m sure it could be automated... but if it manually work I can do it on ALL THREE PCs I need the certificate...
Maybe next year I think about it again...kkk
Let`s move forward. No more interest in this topic.
FIXED and documented it I and another one see something like that again.
Thank you by your help.

[Jean-Philippe Pialasse]

for reference

https://social.technet.microsoft.com/Forums/windows/en-US/466a32f5-69f1-4332-9621-a2e1ce3a386f/importing-a-certificate-to-users-personal-store?forum=winserversecurity

https://itluke.online/2017/09/23/how-to-import-a-certificate-into-the-local-users-store/


while it is old, it could at least help to point toward the right direction.


and using group policy

https://social.technet.microsoft.com/Forums/en-US/49eae3b2-0a2c-4d13-9a03-921e022f484c/deploy-certificate-by-using-group-policy?forum=winserverGP