Almost there, "Cannot export PKCS12; Issuer certificate hasn't been resolved"

[IpgGitCode]

Hi,

New to this so bear with me. I have got as far as generating the certificate crt and crt.pem files but I cannot get the pfx file created. Apparently that is what I need for the certificate to be available on Windows servers.

What is the extra step I am missing from the quick start? This works:

Get-ACMECertificate MyCertName -ExportCertificatePEM "\\pathto\certs\MyCertName.crt.pem" -ExportCertificateDER "\\pathto\certs\MyCertName.crt"

but this does not:

Get-ACMECertificate MyCertName -ExportPkcs12 "\\pathto\certs\MyCertName.pfx"

Thanks

[IpgGitCode]

[EDIT] Don't do this. See detailed help/instructions in comments from @bseddon below without using other software

Following abcdef here I was able to use OpenSSL to create the necessary package to import to IIS on Windows. Is there a way to do it within ACMESharp?

Steps for anyone else:
Install OpenSSL
Use Get-ACMECertificate -CertificateRef MyCertName to find the KeyPemFile and CrtPemFile file names
Use Get-ACMEVaultProfile to locate your vault containing the certificate files
Package them into pfx with openssl pkcs12 -export -out MyCertName.pfx -inkey KeyPemFile -in CrtPemFile
Use IIS Manager, Server Certificates to import the pfx package

[bseddon]

There is a much simpler mechanism and no need to install OpenSSL. It will be great if you can correct your message so no one is left with that impression. The instructions here are long but that's because I'm trying to provide an explanation. Here's the short version:

# Get the issuer (LE) certificate and import it into the Windows CA store
# These first two steps are required only once.  Next time a certificate is imported they will not be needed.
Get-ACMEIssuerCertificate -ExportCertificatePEM le.pem
Import-Certificate -CertStoreLocation  "Cert:\LocalMachine\CA"  -FilePath le.pem
# Get your certificate and import it into the web hosting certificate store used by IIS
Get-ACMECertificate myalias -ExportCertificatePEM mycert.pem
Import-Certificate -CertStoreLocation  "cert:\LocalMachine\WebHosting"  -FilePath mycert.pem

OK. Now the long form but if you want to have all this taken care of for you, use the script attached to this post: #76.

You can use this command to export in PKCS12 format:

Get-ACMECertificate myalias -ExportPkcs12 mycert.pfx

This command will fail unless you have already imported the LE intermediary certificate in to the Windows CA certificate store. The LE intermediary certificate is in the vault. By default you will find it in this folder:

C:\ProgramData\ACMESharp\sysVault\75-ISUPM

Your path may be different but as you point out, you can use the following command to see the path on your machine:

(Get-ACMEVaultProfile).VaultParameters['RootPath']

The LE certificate will be the only file in this folder. Or you can export the file so you don't need to mess with the vault:

Get-ACMEIssuerCertificate -ExportCertificatePEM le.pem

You then have two choices. Using the certificate applet, import this file into the intermediate certificate store. Or temporarily rename the file to have a .crt extension. Then click with the right mouse button to see the context menu and select 'Install Certificate'. Install it into the local machine and select the intermediate certificate store.

Now the command above to export your certificate as a .pfx will work.

You can import the .pfx file you create into the store used by IIS by using the command:

Import-PfxCertificate -CertStoreLocation "cert:\LocalMachine\WebHosting" -FilePath mycert.pfx

Because the intermediate certificate has been imported, there's no need to create a .pfx file. Your certificate in a .pem file can be imported:

Get-ACMECertificate myalias -ExportCertificatePEM mycert.pem

Import-Certificate -CertStoreLocation "cert:\LocalMachine\WebHosting" -FilePath mycert.pem

Note: the cmdlet used in the last step is Import-Certificate while earlier Import-PfxCertificate was used.

[IpgGitCode]

Thank you for the excellent module and support. I do not appear to have a 75-ISUPM folder in my vault and the Get-ACMEIssuerCertificate -ExportCertificatePEM le.pem fails with No issuer certificates found but I will try it again from the top tomorrow.

[bseddon]

Have you generated a certificate yet? I think the issuer certificate is retrieved as part of the process of successfully generating a certificate but its a while since I had to worry about this. However the LE certificates are available from their site so you can download and import them manually. It's a one time task.

[bseddon]

Just to be sure, today I started over by deleting my vault. The issuer certificates are downloaded and stored in the vault only after the command:

Update-ACMECertificate certalias

Until this command is issued, you may have a valid certificate (assuming you have been through the steps to generate one) but the issuer certificates are not downloaded.

[IpgGitCode]

Thank you, that was the missing step for me. I followed the quick start and did not run Update-ACMECertificate because my certificate was created immediately. Evidently you need to run it at least once even if you get the certificate. When I ran Update-ACMECertificate MyCertName the missing 75-ISUPM folder appeared in the vault and Get-ACMECertificate MyCertName -ExportPkcs12 "\\pathto\certs\MyCertName.pfx" worked.

[The only other hiccup as I went through the quick start was checking the DNS challenge status. It looked like it was permanently pending until I used (Update-ACMEIdentifier MyCertName -ChallengeType dns-01).Challenges to view the responses separately.]

Thanks again for a great module.

[ebekker]

Looks like the issue is resolved, so I'm closing it out. If there are further questions, please reopen.

[pablolurquilopez]

I had same issue, after applying solution for "#286"

The newly generated Vault:
Did not include folders:
-75-ISUPM
-76-ISUDR
In file [Vaultroot]\00-Vault File, these entries were as empty, under Certificates>[Cert Identifier]>
-"IssuerSerialNumber": null,
At the end of the file

• "IssuerCertificates": null

To resolve it and get it exporting certificates:

• Copied both folders and its files from a non-custom Vault (that was failing before) in the new custom Vault.
• Edited manually these entries and filled with proper information in the 00-VAULT file.
  Then I was able to export the certificate successfully.

I had already installed:
In intermediate certs (Local Computer)

• DST Root CA X3 cert with serial ‎44 af b0 80 d6 a3 27 ba 89 30 39 86 2e f8 40 6b
• DST Root CA X3 cert with serial ‎0a 01 41 42 00 00 01 53 85 73 6a 0b 85 ec a7 08
  In trusted CAs
• DST Root CA X3 cert with serial ‎44 af b0 80 d6 a3 27 ba 89 30 39 86 2e f8 40 6b
• ISRG Root X1 cert with serial ‎00 82 10 cf b0 d2 40 e3 59 44 63 e0 bb 63 82 8b 00
  And ran Update-AcmeCertificate, unsuccessfully.

Should I then install the three SSL certs

• DST Root CA X3 cert with serial ‎44 af b0 80 d6 a3 27 ba 89 30 39 86 2e f8 40 6b
• DST Root CA X3 cert with serial ‎0a 01 41 42 00 00 01 53 85 73 6a 0b 85 ec a7 08
• ISRG Root X1 cert with serial ‎00 82 10 cf b0 d2 40 e3 59 44 63 e0 bb 63 82 8b 00
  in both stores to not have to edit or copy manually anything?

Thanks in advance, and apologies for any errors in the posting rules, is apply.

Best regards, Pablo.