DefaultCentralSslPfxPassword Problem

[Joaquim3]

Hi everyone,

First of allThanks to you for your great tool. My web site is HTTPS up and running Fine.

My system :

• Windows Server 2012 R2
• [INFO] A simple Windows ACMEv2 client (WACS)
• [INFO] Software version 2.0.3.206 (RELEASE)
• [INFO] IIS version 8.5
• [INFO] Please report issues at https://github.com/PKISharp/win-acme

I use WACS which created theses files :

• C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2
• C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Signer_v2
• C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\MYID.renewal.json
• C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\MYID-cache.pfx
• C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\MYID-csr.pem

Inside MYID.renewal.json :

"Id": MYID",
"LastFriendlyName": "[IISSite] Default Web Site",
"PfxPasswordProtected": "enc-***************************************==",
"TargetPluginOptions":

Settings:

in my SETTINGS.CONFIG in WACS folder, i tried adding my password in the VALUE section of :
<setting name="DefaultCentralSslPassword" serializeAs="String">
<value>MYPASSWORD</value>
</setting>
<setting name="DefaultCentralSslPfxPassword" serializeAs="String">
<value>MYPASSWORD</value>
</setting>

My Issue:

My problem is that I need to use the PFXPasswordProtected, but in my application when , I call the PFX file using my password, it displays "The specified network password is not correct. ".

Tools to acess PFX: ASP PAGE :

Commands :
Set oEncrypt = Server.CreateObject("Persits.CryptoManager")
Set oStore = oEncrypt.OpenStoreFromPFX("C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\MY-ID.pfx", "MYPASSWORD")

Error message:

Persits.CryptoManager.1 error '800a0064'
The specified network password is not correct.

Question:

How to generate my own password to be embeded in the PFX file ?

Kind Regards,
Joaquim

[Joaquim3]

Tools to access PFX : Windows Certificate Import Wizard

I get the same problem when I use Windows Certificate Import Wizard
After selecting the PFX file. I need to type the password, but I get a window "The password you entered is incorrect".

[WouterTinus]

There are two passwords that you are confusing (understandably, but nonetheless)

• There is a password for the cached certificate file, which is randomly generated and can be accessed from the programs main menu (List scheduled renewals > Show details for certificate). I actually want to discourage users from directly using files stored in the programs cache folder, as the shape and form of the cache may be subject to future changes. The proper way to get certificates "out" of win-acme is to use either a store plugin or an installation plugin.

• There is the IIS CCS, which is something you can use when managing a cluster of IIS servers. The setting DefaultCentralSslPfxPassword is meant specifically for this store plugin.

So there are a couple of ways to go about this, ranging from dirty to very clean, but I'd recommend you to configure your certificate to be stored to the "IIS CCS", even if that's not your purpose at all. Make sure that you choose a different folder for the "CCS" than the program uses for its own certificate cache.

[Joaquim3]

Hello WouterTinus,

Thanks a lot for your answer, VERY CLEAR :-)

Yes, I was mistaking the "DefaultCentralSslPfxPassword" with the "Random Password Generated" in the CACHE PFX file.

Now, I understand the difference between both.

In the dirty way, I can easily Call my C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Certificates\MYID-cache.pfx file using its random generated password, that I found in (List scheduled renewals > Show details for certificate) where you told me to search for.

Problem SOLVED !!! Thanks a lot !!! :-)

---

BUT (If I try the CLEAN way I get the ERROR MESSAGE BELOW, sorry for that),

I'm managing 65 domains on another server that I will be migrating to this new one.

Are SAN Certificates the best solution, because I added the domains manually in WACS ? All domains point to the same Server and the same Website.

I am then trying the CLEAN SOLUTION are you suggested :

I installed Central Certificate Store (CCS) following the instructions in the link below (my server is Windows 2012 R2). Everything OK
https://blogs.msdn.microsoft.com/kaushal/2012/10/11/central-certificate-store-ccs-with-iis-8-windows-server-2012/

My Wacs setting.config:

<setting name="DefaultCentralSslStore" serializeAs="String"><value>MYSERVERCCSPATH...
<setting name="DefaultCentralSslPfxPassword" serializeAs="String"><value>MYPERSONALPFXPASSWORD...

I entered this DefaultCentralSslPfxPassword in CCS in IIS.

WACS.exe

M: Create new certificate with advanced options
Please choose from the menu: m

[INFO] Running in mode: Interactive, Advanced

4: Manually input host names
Which kind of certificate would you like to create?: 4

Enter comma-separated list of host names, starting with the common name: MYWEBSITE.com,www.MYWEBSITE.com

[INFO] Target generated using plugin Manual: MYWEBSITE.com and 1 alternatives

Suggested FriendlyName is '[Manual] MYWEBSITE.com', press enter to accept or type an alternative:

4: [http-01] Host the validation files from memory (recommended)
How would you like to validate this certificate?: 4

2: Standard RSA key pair
What kind of CSR would you like to create?: 2

1: IIS Central Certificate Store
How would you like to store this certificate?: 1

1: Create or update https bindings in IIS
Which installer should run for the certificate?: 1
Would you like to add another installer step? (y/n*) - no

1: Default Web Site
Choose site to create new bindings: 1

[INFO] Authorize identifier: MYWEBSITE.com
[INFO] Authorizing virginal.be using http-01 validation (SelfHosting)
[INFO] Authorization result: valid
[INFO] Authorize identifier: www.MYWEBSITE.com
[INFO] Authorizing www.MYWEBSITE.com using http-01 validation (SelfHosting)
[INFO] Authorization result: valid
[INFO] Requesting certificate [Manual] MYWEBSITE.com
[INFO] Copying certificate to the Central SSL store
[INFO] Saving certificate to Central SSL location c:\ccs\MYWEBSITE.com.pfx
[EROR] Error copying certificate to Central SSL store
System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)
at System.Security.Cryptography.X509Certificates.X509Certificate.ExportHelper(X509ContentType contentType, Object password)
at PKISharp.WACS.Plugins.StorePlugins.CentralSsl.Save(CertificateInfo input) [INFO] Saving certificate to Central SSL location c:\ccs\www.MYWEBSITE.com.pfx
[EROR] Error copying certificate to Central SSL store
System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)
at System.Security.Cryptography.X509Certificates.X509Certificate.ExportHelper(X509ContentType contentType, Object password)
at PKISharp.WACS.Plugins.StorePlugins.CentralSsl.Save(CertificateInfo input)
[INFO] Installing with IIS...
[INFO] Adding new https binding *:443:MYWEBSITE.com
[INFO] Adding new https binding *:443:www.MYWEBSITE.com
[INFO] Committing 2 https binding changes to IIS

[WouterTinus]

You're right, it seems that the CentralSsl store plugin requires the setting PrivateKeyExportable to be True (default is False since version 2.0).

Since that setting only applies to the CertificateStore plugin, I've marked it as a bug and it should be fixed in the next release.

[Oglan]

Any thoughts when we can expect release with this bugfix?
Is there any workaround right now? I need to get .pfx file somehow.

[WouterTinus]

I want to make a new release in a couple of days. In the mean time you can either get the .pfx from the certificate cache with the password found in the main menu, or set PrivateKeyExportable to true and use the CentralSsl store plugin.

[Oglan]

Thank you! PrivateKeyExportable setting helped me.

[Joaquim3]

Thanks a lot WouterTinus. Yes PrivateKeyExportable=True works fine with CCS.

[WouterTinus]

Bugfix released in 2.0.5

[Dmitri-Sintsov]

What is the correct way to obtain current random generated pfx password from Windows command line? cmd.exe / powershell? When trying to redirect wacs.exe input I get either infinite input or an exception:

PS C:\www64\ssl\win-acme> Start-Process "wacs.exe" -PassThru -wait -NoNewWindow
-RedirectStandardError ".\error.log" -redirectstandardinput ".\in.txt"

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
     23       1      248        148     6     0,00   5132 wacs

 [INFO] A simple Windows ACMEv2 client (WACS)
 [INFO] Software version 200.0.6965.40688 (RELEASE)
 [INFO] IIS version 8.5
 [INFO] Please report issues at https://github.com/PKISharp/win-acme


 N: Create new certificate
 M: Create new certificate with advanced options
 L: List scheduled renewals
 R: Renew scheduled
 S: Renew specific
 A: Renew *all*
 C: Cancel scheduled renewal
 X: Cancel *all* scheduled renewals
 T: (Re)create scheduled task
 I: Import scheduled renewals from WACS/LEWS 1.9.x
 Q: Quit

 Please choose from the menu:
 1: crm.my-host.ru - renewed 6 times, due after 2020.1.12 9:00:09
 C: Cancel

 Show details for renewal?:
 Show details for renewal?:
 Show details for renewal?: