Wednesday, November 27, 2013

Misc : Certificate conversions

On Windows, you have the good, old PFX file which contains both the certificate and private key (and the password for the private key).

But in the Linux world, when you complete the certificate request, you get the information in separate files i.e.

  • cert.crt       (the certificate)
  • cert.key     (the private key)
  • ca.crt         (the CA information)

To convert them into something Windows can use, you need OpenSSL.

You can get a Windows version here: Win32 OpenSSL Installation Project

(Please make a donation if appropriate).

The command you need is:

openssl pkcs12 -export -out cert.pfx -inkey cert.key -in cert.crt -certfile ca.crt

You may get an error:

"unable to write 'random state'"

in which case, set an environment variable:

set RANDFILE=C:\"Directory files are in"\.rnd

Out of interest, if you want to go the other way:

openssl pkcs12 -in cert.pfx -out cert.cer -nodes


Wednesday, November 06, 2013

ADFS : Changing service communications certificate

This is on Server 2008.

If you've used ADFS for a while, you'll know that the certificates expire, you get new ones and add them and so on.

After a while, the certificate store looks like a mess! Many certificates with the same name.

So you have the bright idea of deleting them all, importing the new one and configuring the new one in ADFS.

BAD move:

When you try and add the new service communications certificate, you get:

Error: AD FS Management
The certificate could not be processed.
Error message: Object reference not set to an instance of an object.


This article goes into detail but I still couldn't get it to work.

How to change the ADFS 2.0 service communications certificate after it expires

So you import the new certificate and you've added the new certificate to the IIS https binding.

Mr Google to the rescue and you need to run PowerShell as administrator:

Add-PSSnapin Microsoft.Adfs.PowerShell

Then get the new certificate thumbprint from MMC and use the following:

Set-ADFSCertificate -CertificateType Service-Communications -Thumbprint xxyyzz...

WARNING: PS0001: One or more of the specified certificate(s) has a key length of less than 2048 bits. This may present a security risk.
WARNING: PS0038: This action requires a restart of the AD FS 2.0 Windows Service. If you have deployed a federation server farm, restart the service on every server in the farm.

So restart the service and Hallelujah it all works again!