Certificate is not stored with private Key

[Moechen]

Hi everyone,

we are new to win-acme and want to automate our Windows certificate stuff.

To start with, I just wanted to get a simple certificate and let it import to the Windows cert store. It works so far that i get a certificate but it will imported without private key. If I let win-acme safe it as a .pfx it also have no private key.

I have also tried different versions of win-acme but without luck.
Does anyone have an idea why this might happening?

We are using EJBCA as PKI.

Kind greetings,
Fabian

[WouterTinus]

How did you reach the conclusion that the certificate doesn't have a private key?

The only way I can imagine this could legitimately happen is if EJBCA is not using the public key provided by the program to sign the certificate but rather something generated elsewhere (e.g. you had to pre-feed it a CSR and/or it offers the PK up for download outside of the ACME protocol).

[Moechen]

Hi,
sorry for the late response but I was on vacation.

I have now tested the newest version and also ask our consultant for EJBCA and he run into the same problem.
For testing I used a clean Windows Server 2019 with IIS and the default website. In the settings file I changed only the URLs + DNS Servers.

It doesn't matter if I use the command or do it manually in the "UI". In both cases I will get an certificate without private key.

`C:\Program Files\win-acme>wacs.exe --source manual --certificatestore My --host SERVER.FQDN --accepttos --verbose
[DBUG] Logging at level Verbose
[VERB] W3SVC detected and running
[VERB] No FTPSVC detected
[VERB] Looking for settings.json in C:\Program Files\win-acme
[DBUG] Use existing configuration folder C:\ProgramData\win-acme
[DBUG] Use existing configuration folder C:\ProgramData\win-acme\certservices.COMPANYejbcaacmeP_ACME_SERVERdirectory
[DBUG] Use existing log folder C:\ProgramData\win-acme\certservices.COMPANYejbcaacmeP_ACME_SERVERdirectory\Log
[DBUG] Use existing cache folder C:\ProgramData\win-acme\certservices.COMPANYejbcaacmeP_ACME_SERVERdirectory\Certificates
[DBUG] secrets.json not found
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails False
[VERB] Arguments: --source manual --certificatestore My --host SERVER.FQDN --accepttos --verbose
[VERB] ExePath: C:\Program Files\win-acme\wacs.exe
[VERB] ResourcePath: C:\Program Files\win-acme
[VERB] PluginPath: C:\Program Files\win-acme\

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.2.3.1492 (release, trimmed, standalone, 64-bit)
[INFO] Connecting to https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/directory...
[DBUG] [HTTP] Send GET to https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/directory
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {"newNonce":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/newNonce","newAccount":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/newAccount","newOrder":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/newOrder","revokeCert":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/revokeCert","keyChange":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/keyChange","meta":{"termsOfService":"https://certservices.COMPANY/acme/terms","website":"https://certservices.COMPANY/acme","caaIdentities":[],"externalAccountRequired":false}}
[INFO] Connection OK!
[DBUG] Running with administrator credentials
[DBUG] IIS version 10.0
[INFO] Scheduled task looks healthy
[INFO] Please report issues at https://github.com/win-acme/win-acme
[VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة
[INFO] Running in mode: Unattended
[VERB] Autofac: creating PluginFrontend scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent wacs
[VERB] Autofac: creating PluginFrontend scope with parent wacs
[VERB] Parsed value for --host: SERVER.FQDN
[VERB] No value provided for --commonname
[VERB] Autofac: creating PluginBackend scope with parent wacs
[INFO] Source generated using plugin Manual: SERVER.FQDN
[VERB] Autofac: creating Target scope with parent PluginBackend
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] W3SVC detected and running
[VERB] No FTPSVC detected
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Global validation option not found for SERVER.FQDN
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Adding 10.50.1.55 as DNS server
[VERB] Adding 10.60.0.20 as DNS server
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] No value provided for --validationport
[VERB] No value provided for --validationprotocol
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Flag --ocsp-must-staple not present
[VERB] Flag --reuse-privatekey not present
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Parsed value for --certificatestore: My
[VERB] Flag --keepexisting not present
[VERB] No value provided for --acl-fullcontrol
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[VERB] Autofac: creating PluginFrontend scope with parent target
[WARN] Overwriting previously created renewal

[VERB] Constructing ACME protocol client...
[VERB] Getting service directory...
[DBUG] [HTTP] Send GET to https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/directory
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {"newNonce":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/newNonce","newAccount":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/newAccount","newOrder":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/newOrder","revokeCert":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/revokeCert","keyChange":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/keyChange","meta":{"termsOfService":"https://certservices.COMPANY/acme/terms","website":"https://certservices.COMPANY/acme","caaIdentities":[],"externalAccountRequired":false}}
[DBUG] Loading signer from C:\ProgramData\win-acme\certservices.COMPANYejbcaacmeP_ACME_SERVERdirectory\Signer_v2
[DBUG] Loading account from C:\ProgramData\win-acme\certservices.COMPANYejbcaacmeP_ACME_SERVERdirectory\Registration_v2
[VERB] Using existing ACME account
[DBUG] Using default account...
[VERB] Autofac: creating Execution scope with parent wacs
[VERB] Autofac: creating PluginBackend scope with parent Execution
[INFO] Plugin Manual generated source SERVER.FQDN with 1 identifiers
[VERB] Autofac: creating Split scope with parent PluginBackend
[VERB] Autofac: creating PluginBackend scope with parent Split
[INFO] Plugin Single created 1 order
[VERB] Autofac: creating Order scope with parent PluginBackend
[VERB] Autofac: creating PluginBackend scope with parent order-main
[DBUG] Previous certificate found at C:\ProgramData\win-acme\certservices.COMPANYejbcaacmeP_ACME_SERVERdirectory\Certificates\mScIEmlAY0Ok0uGMFl5Rrg-main-a0a5a846f70f6f6bef871df1313a97d9b19be100-temp.pfx
[DBUG] Reading certificate cache
[VERB] Main: previous thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[VERB] Main: previous expires 2023.10.22
[VERB] Using client side renewal schedule
[VERB] Main: latest due date 2023.6.18
[VERB] Main: earliest due date 2023.6.18
[VERB] Order Main should run: False
[INFO] Renewing [Manual] SERVER.FQDN
[VERB] Obtain order details for Main
[DBUG] Refreshing cached order
[DBUG] Refreshing order...
[DBUG] [HTTP] Send HEAD to https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/newNonce
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Empty response
[DBUG] [HTTP] Send POST to https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/acct/7ATMYg-_eYvYeJahfzbcpw/orders/u2el9abxJSsVGwgsT4d9gy6Ssm5dbZ2Bi3e_9kBg2Oc
[VERB] [HTTP] Request content: {"protected":"XXX","payload":"","signature":"XXX"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response content: {"status":"valid","expires":"2023-04-24T10:25:17Z","identifiers":[{"type":"dns","value":"SERVER.FQDN"}],"notBefore":"2023-04-24T09:15:17Z","notAfter":"2023-10-22T09:15:16Z","authorizations":["https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/acct/7ATMYg-_eYvYeJahfzbcpw/authz/e54ed81af15a6c05ddff9cf69536c1740d6211043286527ab5af6bc2dd952b0d"],"finalize":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/acct/7ATMYg-_eYvYeJahfzbcpw/orders/u2el9abxJSsVGwgsT4d9gy6Ssm5dbZ2Bi3e_9kBg2Oc/finalize","certificate":"https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/cert/e9e744608cbc72fcf2fbc93ba3fce915865f927e"}
[WARN] Using cache. To force a new order within 1 days, run with --nocache. Beware that you might run into rate limits. [VERB] Order 1/1 (Main): processing...
[DBUG] Re-using private key generated at 04/24/2023 11:25:20
[DBUG] CSR stored at mScIEmlAY0Ok0uGMFl5Rrg-main-a0a5a846f70f6f6bef871df1313a97d9b19be100-csr.pem in certificate cache folder C:\ProgramData\win-acme\certservices.COMPANYejbcaacmeP_ACME_SERVERdirectory\Certificates
[INFO] Downloading certificate [Manual] SERVER.FQDN
[DBUG] [HTTP] Send POST to https://certservices.COMPANY/ejbca/acme/P_ACME_SERVER/cert/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[VERB] [HTTP] Request content: {"protected":"XXXX","payload":"","signature":"XXX"}
[VERB] [HTTP] Request completed with status OK
[VERB] [HTTP] Response of type application/pem-certificate-chain (10787 bytes)
[VERB] Parsing certificate from 10787 bytes received
[VERB] Parsing PEM data at range 150..2799
[VERB] Parsing PEM data at range 3017..6763
[VERB] Parsing PEM data at range 6971..10786
[VERB] Parsing certificate from 10787 bytes received
[VERB] Parsing PEM data at range 150..2799
[VERB] Parsing PEM data at range 3017..6763
[VERB] Parsing PEM data at range 6971..10786
[DBUG] Certificate written to cache file mScIEmlAY0Ok0uGMFl5Rrg-main-a0a5a846f70f6f6bef871df1313a97d9b19be100-temp.pfx in certificate cache folder C:\ProgramData\win-acme\certservices.COMPANYejbcaacmeP_ACME_SERVERdirectory\Certificates. It will be reused when renewing within 1 day(s) as long as the --source and --csr parameters remain the same and the --force switch is not used.
[VERB] Processing order 1/1: Main
[VERB] Autofac: creating PluginBackend scope with parent PluginBackend
[VERB] W3SVC detected and running
[VERB] No FTPSVC detected
[DBUG] Certificate store name: My
[INFO] Store with CertificateStore...
[WARN] Certificate with thumbprint XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is already in the store
[INFO] Scheduled task looks healthy
[INFO] Next renewal due after 2023.6.18
[INFO] Certificate [Manual] SERVER.FQDN created
[VERB] Exiting with status code 0`

[WouterTinus]

You didn't answer my question:

How did you reach the conclusion that the certificate doesn't have a private key?

[Moechen]

Hi,

Windows doesn't show the "key" and the info "You have a private key that corresponds to this certificate" is also not showing when I open it through mmc.

I also tried to get the private key from the .pfx that will be saved under "C:\ProgramData\win-acme" but when I do that with the command below the exported file is empty.

openssl pkcs12 -in [yourfile.pfx] -nocerts -out [drlive.key]

[WouterTinus]

I added some extra verbose logging output to this build to help diagnose this issue, can you run this build?

https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/46894264/artifacts

[Moechen]

Hi,

thanks for helping. I run the new build, the log is attached.
log.txt

[WouterTinus]

Thanks for that, unfortunately there's no red flag in this log that explains why it's happening, though it at least proves that it is happening. I'll take another look at the code and add more logging to hopefully nail this one down.

[Moechen]

Thank you so much for the help. :)

[WouterTinus]

I believe that I have fixed the bug in this build: https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/46905789/artifacts

The problem was that the PEM-encoded certificate contains some leading data (maybe some comments?) that confused our PFX builder.

[Moechen]

Good morning,

I just tested the new build and it works perfect now.
Thank you so much for your help. :)

Kind greetings and a nice weekend,
Fabi

[WouterTinus]

Fix included in 2.2.5