Skip to content
Windows
Certificates

Certificates

Certificates

Certificates can be found with the .mmc certificates snapin

Export option with key to allow import to another computer

Find certificate authority:

1

certutil -config - -ping

Update Certificates

Update Certificate on IIS server:

  • import certificate to cert store
  • open IIS go to default website / whatever site needs cert updating > edit bindings > 443 > select new certificate In powershell to restart iis to pick up new certificate:
1

iisreset -noforce

Update cert on ADFS server:

  • Import certificate to cert store Run the following powershell command:
1

Set-ADFSsslCertificate -Member  -Thumbprint
  • in ADFS management > service > Certificates > Renew Service Communications certificate with the new certificate

Update on ADFS Proxy server:

  • import certificate Check certificate bindings for adfs proxy:
1

Get-WebApplicationProxySslCertificate

Apply new certificate:

1

Set-WebApplicationProxySslCertificate -Thumbprint

If you dont want to worry about copy pasting the thumbprint of the certificates you can access them in the cert store in powershell:

1
2

cd cert:\LocalMachine\My
$cert=(Get-ChildItem | Select FriendlyName,Thumbprint | Where-Object {$_.FriendlyName -like "Certificate friendlyname"})

Then you can just use $cert.Thumbprint instead of copying the thumbrint to the set command or getting it from the cert store cert properties and removing all the spaces.

Extract .crt

if you need cert in .crt format with key for ssl you can use open ssl to extract the keys.

download from here https://slproweb.com/products/Win32OpenSSL.html

When installing make sure to add to environment variables and PATH to use easily from the command line - go to sysdm.cpl or run the following commands for a one time use:

1
2

set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg 
set Path=%Path%;C:\Program Files\OpenSSL-Win64\bin

Use the following command to extract when running openssl as admin:

1
2
3
4

openssl pkcs12 -in C:\PathToThePFXfile\myPFXfileName.pfx -out certificate.txt -nodes
#extract certificate with private key encrypted - omit the -nodes
openssl pkcs12 -in C:\PathToThePFXfile\myPFXfileName.pfx -out certificate.txt
#Then copy the private key to another file and password will still be able to access the private key

This will extract the cert to a text file where you can grab the public and private keys and save them in text as a .crt and .key file.

Extract key from .cer file:

1

openssl x509 -in  -out

Extract the key to encrypted key

1

openssl pkcs12 -in [-nocerts -out [keyfile-encrypted.key](yourfile.pfx])

Extract unencrypted key

1

openssl rsa -in [-out [keyfile-decrypted.key](keyfile-encrypted.key])

Extract Just certificate

1

openssl pkcs12 -in [-clcerts -nokeys -out [certificate.crt](yourfile.pfx])

Convert From .pem to pfx

Certificates will need to be converted for use in windows IIS as windows prefers .pfx format

Use the following command

1

openssl pkcs12 -export -in .pem -inkey .pem -out .pfx

SSL Certificates netsh

Check certificates bound to ports in netsh:

1

netsh http show sslcert

Add certificate to port:

1

netsh http add sslcert ipport:0.0.0.0:443 certhash= appid='{EDE3C891-306C-40fe-BAD4-895B236A1CC8}'

Delete sslcert

1

netsh http delete sslcert ipport=0.0.0.0:443

Extract Private key from pfx and create new cert

Extract private key:

1

openssl pkcs12 -in filetogetkeyextractedfrom.pfx -nocerts -out exportedprivatekey.key

Extract the public key if required:

1

openssl pkcs12 -in filetogetpublickeyextractedfrom.pfx -clcerts -nokeys -out extractedpublickey.crt

Create new certificate from .crt (public key) and .key (Private key) file

1

openssl pkcs12 -export -out newcerttocreate.pfx -inkey extractedprivatekey.key -in certfilewithpublickey.crt

Create certificate from lets encrypt output for windows vms

Use the certbot on a server that can receive inbound for the DNS that you want the cert for on ports 80 and 443:

1

certbot certonly --standalone

Then use openssl with the generated cert files:

1

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

Bind certificates in netsh

Use the following command to check certificate status:

1

netsh http show sslcert

unbind then bind the new certificate with the cert thumbprint:

1
2
3

netsh http delete sslcert ipport= #eg 0.0.0.0:443

netsh http add sslcert ipport= certhash= appid=''

Check Certificates

Use certutil to check the status of a certificate:

1

 certutil -f -urlfetch -verify

Use cert util GUI to check the different certificate distribution lists for the certs:

1

certutil -url
Windows FTP ServerEventviewer