Windows 10: DigitCert SMIME certificate cannot be exported. Personal Information Exchange - PKCS #12...

As part of ensuring secure communication in our company we are trying to export SMIME certificate issued by Digicert unto our clients but we encountered few issues with regards to private keys not included or exportable during the exportation process via the certmgr console.Below is a Brief description of the error and the various troubleshooting attempts.During the export i noticed the option to select Personal Information Exchange - PKCS #12 .PFX option was greyed out on the cert export wizard as seen in the screenshot below I tried to troubleshoot the issue by first inspecting i

:)

 

how do I export certificates and/or private keys?

Hi,

Thank you for posting your query on Microsoft Community. Let me assist you.

I suggest you to follow the below steps to export a certificate with a private key

1. Open the Certificates console for the user, computer, or service you want to manage.

2. In the console pane, select the certificate store and container holding the certificate that you want to export.

3. In the details pane, click the certificate you want to export.

4. On the Action menu, point to
All Tasks, and then click Export.

5. In the Certificate Export Wizard, click
Yes, export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)

6. Under Export File Format, do one or all of the following, and then click
Next.

• To include all certificates in the certification path, select the
  Include all certificates in the certification path if possible check box.
• To enable strong protection, select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) check box.
• To delete the private key if the export is successful, select the
  Delete the private key if the export is successful check box.

7.In Password, type a password to encrypt the private key you are exporting. In
Confirm password, type the same password again, and then click
Next.

8. In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key, click
Next, and then click Finish.

Hope this information is helpful. Please do let us know if you need further assistance, we’ll be glad to assist you.

 

EAP personal certificate 5800

You would need to convert your personal certificate from it's current PEM format to PKCS#12 (.pfx) format. PKCS#12 format should be installable on the phone assuming that content and capabilities of the certificate and the private key itself are compatible
with the phone. PKCS#12 file will be single password protected .pfx file (a container) including both the private key and personal certificate. Sometimes PKCS#12 .pfx file may also include the CA certificate(s) so that CA certificate don't need to be installed
separately from the personal certificate.



Conversions between different certificate file formats can be done with OpenSSL. OpenSSL is a open source command line tool for handling various certificate related operations. It is rather complex and powerful set of tools but e.g. a conversion between
PEM and PKCS#12 format is typically not too difficult to do once you have a PC with OpenSSL available. Of course using command line based tools like OpenSSL will require certain amount geekiness but nothing too extreme.



If you feel comfortable to give OpenSSL conversion a try you can find OpenSSL installation package for Windows e.g. by googling "Win32 OpenSSL" and installing it on a Windows PC. I think that the "light" Win32 version of the OpenSSL installation packages
provided by the Shining Light Productions web page should be sufficient enough for a simple conversion task like this. Once you have the OpenSSL installed and functional on a PC you can proceed to the actual conversion. In case you have access to a Linux PC
it might already have the OpenSSL installed if your locky. Point is that you don't necessarily need to have a Windows version of the OpenSSL to do this conversion but basically any PC with OpenSSL should be good for the task.



First you should propably take a look at your PEM file with text editor (e.g. open with Wordpad on a Windows PC) and see if the PEM file contains both "BEGIN / END PRIVATE KEY" and "BEGIN / END CERTIFICATE" tags with some code between the BEGIN and END tags
since this indicates that both private key and the actual certificate are included in this single PEM file you have received.



If your PEM file does not contain the "PRIVATE KEY" section then you should also have received a separate private key file (named .key .pvk .pem or something else) in addition to the "certificate only" PEM file from the people who provided the certificate.



Copy your PEM formatted certificate file(s) to your PC with the OpenSSL, start the command line and go to the folder where your certificate files are located. Assuming that your PEM file includes both the certificate and the private key then these can be
converted to PKCS#12 format using following OpenSSL command:



openssl pcks12 -export -in yourcertificate.pem -out yournewcertificate.pfx



After entering this command OpenSSL will prompt you to provide a password that will be used for protecting the new PKCS#12 (.pfx) file. Select and enter a password (twice) and note that you will need to remember this later when installing the resulting .pfx
file on your phone.



In case you have a separate private key file in addition to personal certificate PEM file then format of the OpenSSL command that creates a single PKCS#12 pfx file (containing both private key and personal certificate) would be something like this:



openssl pkcs12 -export -in yourcertificate.pem -inkey yourprivatekey.pvk -out yournewcertificate.pfx



Naturally you need to replace the filenames in above example following the "-in" and "-inkey" options with the actual names of your files and you should define a filename for the resulting .pfx file after the "-out" option (ensure that you won't end up overwriting
the existing PEM file and keep a copy of it in some other folder in any case).



It's important to note that you must have both the personal certificate and it's private key installed on the phone in order to be able to use your personal certificate for EAP-TLS authentication (these are both most likely included in your PEM file). Naturally
you will also need to have the Certificate Authority certificate installed on the phone but it sounds that you had already managed to install that one. The PEM file (like PFX file) might also contain the both the CA certificate and personal certificate so
don't worry if you get "certificate already installed" type of warning when installing the PKCS#12 (.pfx) file on the phone later since it means that your original PEM file also contained the CA certificate which got automatically included to .pfx file during
the conversion and since you had already previosly installed the same CA certificate phone just notes that this CA is already installed.

Once you have successfully converted your personal certificate and private key in to the PKCS#12 (.pfx) file format then you should be able to copy the resulting .pfx file (created by OpenSSL) to your phone and hopefully install it on the phone.



Note that your phone will ask you to define a "phone key store" password (select a password you wish and enter it twice) when you are installing first "personal certificate" on your phone. Once you have created the phone key store password you will be prompted
for the password of the PKCS#12 (.pfx) file so this is the password that you entered during the OpenSSL conversion.



Ensure that you will also remember your newly created private key store password since it will be prompted by the phone later when this particular personal certificate is being used for the EAP-TLS authentication.



If you managed to install your personal certificate (and the private properly) then you should be able to go to your access point's EAP-TLS settings and select your certificateas a personal certificate and select the previously installed CA certificate as
a Certificate Authority for the EAP-TLS authentication.

 

Windows 10 requires certificate confirmation everytime the certificate is used

This is an optional feature activated when importing the certificate. If you can, try first exporting the cert (with its private key) to a PKCS#12 file, deleting it from Personal, and re-importing back to Personal without selecting the additional "protection" features.