Powershell: how to set up a public/private key pair using Windows and puttygen.exe. Download puttygen.exe, open it and click Generate to generate a private/public key pair. I set the number of key bits to 4096. Then export the private key for use with the SSH-Sessions module (has to be in OpenSSH format – the Putty key format will not work as of 2013-09-14). Grant security to a private key in Windows Server 2012 via powershell w/out external DLLs, etc 0 private key not found while certificate pfx file installed with Import-PfxCertificate command in powershell.

Syntax

Description

The New-SelfSignedCertificate cmdlet creates a self-signed certificate for testing purposes.Using the CloneCert parameter, a test certificate can be created based on an existing certificate with all settings copied from the original certificate except for the public key.The cmdlet creates a new key of the same algorithm and length.

Delegation may be required when using this cmdlet with Windows PowerShell remoting and changing user configuration.

Examples

EXAMPLE 1

This example creates a self-signed SSL server certificate in the computer MY store with the subject alternative name set to www.fabrikam.com, www.contoso.com and Subject and Issuer name set to www.fabrikam.com.

EXAMPLE 2Windows 8 professional product key generator free download.

This example creates a copy of the certificate specified by the CloneCert parameter and puts it in the computer MY store.

EXAMPLE 3

This example creates a self-signed S/MIME certificate in the user MY store.The certificate uses the default provider, which is the Microsoft Software Key Storage Provider.The certificate uses an RSA asymmetric key with a key size of 2048 bits.This certificate has the subject alternative names of patti.fuller@contoso.com as RFC822 and pattifuller@contoso.com as Principal Name.

This command does not specify the NotAfter parameter.Therefore, the certificate expires in one year.

EXAMPLE 4

This example creates a self-signed client authentication certificate in the user MY store.The certificate uses the default provider, which is the Microsoft Software Key Storage Provider.The certificate uses an RSA asymmetric key with a key size of 2048 bits.The certificate has a subject alternative name of pattifuller@contoso.com.

The certificate expires in one year.

EXAMPLE 5

This example creates a self-signed client authentication certificate in the user MY store.The certificate uses the default provider, which is the Microsoft Software Key Storage Provider.The certificate uses an elliptic curve asymmetric key and the curve parameters nist256, which creates a 256-bit key.The subject alternative name is pattifuller@contoso.com.

The certificate expires in one year.

EXAMPLE 6

This example creates a self-signed client authentication certificate in the user MY store.The certificate uses the Microsoft Platform Crypto Provider.This provider uses the Trusted Platform Module (TPM) of the device to create the asymmetric key.The key is an RSA 2048-bit key that cannot be exported.The subject alternative name is pattifuller@contoso.com.The certificate expires in one year.

EXAMPLE 7

This example creates a self-signed client authentication certificate in the user MY store.The certificate uses the default provider, which is the Microsoft Software Key Storage Provider.The certificate uses an RSA asymmetric key with a key size of 2048 bits.The subject alternative name is pattifuller@contoso.com.

This command specifies a value for NotAfter.The certificate expires in six months.

EXAMPLE 8

This example creates a self-signed S/MIME certificate in the user MY store.The certificate uses the default provider, which is the Microsoft Software Key Storage Provider.The certificate uses an RSA asymmetric key with a key size of 2048 bits.This certificate has the subject alternative names of patti.fuller@contoso.com and pattifuller@contoso.com both as RFC822.

This command does not specify the NotAfter parameter.Therefore, the certificate expires in one year.

EXAMPLE 9

This example creates a self-signed SSL server certificate with Subject and Issuer name set to localhost and with subject alternative name set to IPAddress 127.0.0.1 and ::1 via TextExtension.

Parameters

Indicates that this cmdlet uses RSA-PSS (PKCSv2.1) or an elliptic curve cryptography (ECC) equivalent.If you do not specify this parameter, the cmdlet uses the default, RSA-PSS (PKCSv1.5) or an ECC equivalent.

Specifies the certificate store in which to store the new certificate.If the current path is Cert:CurrentUser or Cert:CurrentUserMy, the default store is Cert:CurrentUserMy.If the current path is Cert:LocalMachine or Cert:LocalMachineMy, the default store is Cert:LocalMachineMy.Otherwise, you must specify Cert:CurrentUserMy or Cert:LocalMachineMy for this parameter.This parameter does not support other certificate stores.

Identifies the certificate to copy when creating a new certificate.The certificate being cloned can be identified by an X509 certificate or the file path in the certificate provider.When this parameter is used, all fields and extensions of the certificate will be inherited except the public key, a new key of the same algorithm and length will be created, and the NotAfter and NotBefore fields.The default validity period will be the same as the certificate to copy, except that the NotBefore field will be set to ten minutes in the past.

Prompts you for confirmation before running the cmdlet.

Specifies the name of the container in which this cmdlet stores the key for the new certificate.

When you create a key, a trailing asterisk (*) indicates that the rest of the container name string is a prefix.An appended GUID string makes the container name unique.

When you use an existing key, the container name must identify an existing key.You may also have to specify the provider.

Specifies how the public key parameters for an elliptic curve key are represented in the new certificate.The acceptable values for this parameter are:

• CurveParameters
• CurveName
• None (default)

The default value, None, indicates that this cmdlet uses the default value from the underlying key storage provider (KSP).This parameter is not supported with the RSA algorithm or with cryptographic service providers (CSPs).

Specifies one or more DNS names to put into the subject alternative name extension of the certificate when a certificate to be copied is not specified via the CloneCert parameter.The first DNS name is also saved as the Subject Name.If no signing certificate is specified, the first DNS name is also saved as the Issuer Name.

Indicates that this cmdlet uses an existing key.If you do not specify this parameter, this cmdlet creates a new key.Creating a certificate from an existing key creates a new key with a new container.

When you use an existing key, specify values for the Container parameter, the Provider parameter, and the CertStoreLocation parameter.CertStoreLocation determines the context.The context is user or computer.

Specifies an array of certificate extensions, as X509Extension objects, that this cmdlet includes in the new certificate.

Specifies a friendly name for the new certificate.

Specifies how a hardware key associated with the new certificate may be used.This parameter applies only when you specify the Microsoft Platform Crypto Provider.The acceptable values for this parameter are:

• None (default)
• SignatureKey
• EncryptionKey
• GenericKey
• StorageKey
• IdentityKey

The default value, None, indicates that this cmdlet uses the default value from the underlying KSP.

Specifies the name of the hash algorithm to use to sign the new certificate.The default hash algorithm depends on the provider that stores the private key used to sign the new certificate.

Specifies the name of the algorithm that creates the asymmetric keys that are associated with the new certificate.Available asymmetric key algorithms are RSA and Elliptic Curve Digital Signature Algorithms (ECDSA).

The elliptic curve algorithm syntax is the following:

ECDSA_curvename

To obtain a value for curvename, use the certutil -displayEccCurve command.

Valid curve names contain a value in the Curve OID column in the output of the certutil -displayEccCurve command.

Specifies a description for the private key that is associated with the new certificate.

Specifies the policy that governs the export of the private key that is associated with the certificate.The acceptable values for this parameter are:

• Exportable
• ExportableEncrypted (default)
• NonExportable

The default value of ExportableEncrypted is not compatible with KSP and CSPs that do not allow key export.These include the Microsoft Smart Card Key Storage Provider and the Microsoft Platform Crypto Key Storage Provider.Specify NonExportable for providers that do not allow key export.

Specifies a friendly name for the private key that is associated with the new certificate.

Specifies the length, in bits, of the key that is associated with the new certificate.

Specifies the file system location where this cmdlet stores the private keys associated with the new certificate.Specify this parameter only when you specify the Microsoft Platform Crypto Provider.

Specifies the level of protection required to access the private key that is associated with the certificate.The acceptable values for this parameter are:

• Protect
• ProtectHigh
• ProtectFingerPrint
• None (default)

The default value, None, indicates that this cmdlet uses the default value from the underlying KSP or CSP.For most KSPs and CSPs, the default means that no user interface is required to create and use the private key.A user interface is required if the provider always requires a user interface, such as a smart card, or if the default configuration of the provider has been changed.

Specifies whether the private key associated with the new certificate can be used for signing, encryption, or both.The acceptable values for this parameter are:

• KeyExchange
• Signature
• None (default)

The default value, None, indicates that this cmdlet uses the default value from the underlying CSP.

If the private key is managed by a legacy CSP, the value is KeyExchange or Signature.If the key is managed by a Cryptography Next Generation (CNG) KSP, the value is None.

Specifies the key usages set in the key usage extension of the certificate.The acceptable values for this parameter are:

• CertSign
• CRLSign
• DataEncipherment
• DecipherOnly
• DigitalSignature
• EncipherOnly
• KeyAgreement
• KeyEncipherment
• None (default)
• NonRepudiation

The value, None, indicates that this cmdlet does not include the KeyUsage extension in the new certificate.

Specifies the key usages for the key usages property of the private key.The acceptable values for this parameter are:

• All
• Decrypt
• KeyAgreement
• None (default)
• Sign

The default value, None, indicates that this cmdlet uses the default value from the underlying KSP.

Specifies the date and time, as a DateTime object, that the certificate expires.To obtain a DateTime object, use the Get-Date cmdlet.The default value for this parameter is one year after the certificate was created.

Specifies the date and time, as a DateTime object, when the certificate becomes valid.The default value for this parameter is 10 minutes before the certificate was created.

Specifies the personal identification number (PIN) used to access the private key of the new certificate.

Specifies the name of the KSP or CSP that this cmdlet uses to create the certificate. See Cryptographic Providers for more information.Some acceptable values include:

• Microsoft Software Key Storage Provider
• Microsoft Smart Card Key Storage Provider
• Microsoft Platform Crypto Provider
• Microsoft Strong Cryptographic Provider
• Microsoft Enhanced Cryptographic Provider v1.0
• Microsoft Enhanced RSA and AES Cryptographic Provider
• Microsoft Base Cryptographic Provider v1.0
• The name of a third party KSP or CSP

Specifies the name of the smart card reader on which to store the private key for the new certificate.

Specifies the private key security descriptor as a FileSecurity object.Read access is required to use the private key.This parameter does not apply to providers that do not support security descriptors on private keys, including the smart card CSP and smart card KSP.

Specifies a serial number, as a hexadecimal string, that is associated with the new certificate.If you do not specify this parameter, this cmdlet assigns a pseudo-randomly generated 16 byte value.

Specifies a Certificate object with which this cmdlet signs the new certificate.This value must be in the Personal certificate store of the user or device.This cmdlet must have read access to the private key of the certificate.

Specifies the PIN that is required to access the private key of the certificate that is used to sign the new certificate.

Specifies the name of the smart card reader that is used to sign the new certificate.

Indicates that the new certificate includes available encryption algorithms to a Secure/Multipurpose Internet Mail Extensions (S/MIME) capabilities extension.

Specifies the string that appears in the subject of the new certificate.This cmdlet prefixes CN= to any value that does not contain an equal sign.For multiple subject relative distinguished names (also known as RDNs), separate each subject relative distinguished name with a comma (,).If the value of the relative distinguished name contains commas, separate each subject relative distinguished name with a semicolon (;).

Specifies an array of object identifier (also known as OID) strings that identify default extensions to be removed from the new certificate.

Indicates that this cmdlet signs the new certificate by using a built-in test certificate.This cmdlet adds the built-in test certificate to the intermediate certification authority (CA) certificate store of the device.

This parameter is for test purposes only.The private key of the test root certificate is essentially public.

Specifies an array of certificate extensions, as strings, which this cmdlet includes in the new certificate.Each string must employ one of the following formats:

oid=base64String, where oid is the object identifier of the extension and base64String is a value that you provide.After decoding base64String, the value must be valid Abstract Syntax Notation One (ASN.1).For more information, see Abstract Syntax Notation One (ASN.1): Specification of basic notation.

oid={hex}hexidecimalString, where oid is the object identifier of the extension and hexidecimalString is a value that you provide.After decoding hexidecimalString, the value must be valid ASN.1.

oid={text}String, where oid is the object identifier of the extension and String is a value that you provide.String must contain a textual representation of the extension value in a format specific to each object ID.When String is processed, it will be encoded into an ASN.1 extension value before being placed into the new certificate as an extension.

To specify that an extension is critical, insert {critical} immediately following oid= in any of the previous cases.

The object identifiers of some common extensions are as follows:

• Application Policy.1.3.6.1.4.1.311.21.10
• Application Policy Mappings.1.3.6.1.4.1.311.21.11
• Basic Constraints.2.5.29.19
• Certificate Policies.2.5.29.32
• Enhanced Key Usage.2.5.29.37
• Name Constraints.2.5.29.30
• Policy Mappings.2.5.29.33
• Subject Alternative Name.2.5.29.17

Application Policy1.3.6.1.4.1.311.21.10={text}token=value&token=value…The tokens have the following possible values:

• Flags.0xhexidecimalNumber
• GUID.A globally unique ID, such as this example: f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39
• Notice.Text notice
• OID.Object identifier in dotted decimal notation, such as this example: 1.2.3.4.5
• URL.The URL of a host, such as this example: http://computer07.contoso.com

To specify an Application Policy extension, specify the first object identifier, followed by zero or more other token=value entries.These entries are subordinate to the preceding object identifier.Specify subsequent object identifiers, each followed by its subordinate token=value entries.

Application Policy Mappings1.3.6.1.4.1.311.21.11={text}oid=oid&oid=oid…

Certificate Policies2.5.29.32={text}token=value&token=value…The tokens have the following possible values:

• Flags.0xhexidecimalNumber
• GUID.A globally unique ID, such as this example: f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39
• Notice.Text notice
• OID.Object ID in dotted decimal notation, such as this example: 1.2.3.4.5
• URL.The URL of a host, such as this example: http://computer07.contoso.com

To specify a Certificate Policies extension, follow the same syntax as an Application Policy extension.

Enhanced Key Usage Object Identifiers2.5.29.37={text}oid,oid…These key usages have the following object identifiers:

• Client Authentication.1.3.6.1.5.5.7.3.2
• Server Authentication.1.3.6.1.5.5.7.3.1
• Secure Email.1.3.6.1.5.5.7.3.4
• Code Signing.1.3.6.1.5.5.7.3.3
• Timestamp Signing.1.3.6.1.5.5.7.3.8

Name Constraints2.5.29.30={text}subtree=subtreeValue&token=value&token=value& …&subtree=subtreeValue&token=value&token=value…The subtreeValue can have the following values:

• Include.Permitted names
• Exclude.Excluded names

The tokens have the following possible values:

• DirectoryName.CN=Name,DC=Domain,DC=com
• DNS.A computer name in the following format: computer.contoso.com
• Email.An email address, such as this example: admin@contoso.com
• IPAddress.IPV4 address,IPV4 subnet mask or IPV6 address,IPV6 subnet mask
• RegisteredID.ID in dotted decimal notation, such as this example: 1.2.3.4.5
• UPN.A user principal name in the following format: admin@contoso.com
• URL.The URL of a host, such as this example: http://computer07.contoso.com/index.html

Policy Mapping2.5.29.33={text}oid=oid&oid=oid…

Subject Alternative Name Syntax2.5.29.17={text}token=value&token=value…The tokens have the following possible values:

• UPN.A user principal name in the following format: admin@contoso.com
• Email.An email address, such as this example: admin@contoso.com
• DNS.A computer name in the following format: computer.contoso.com
• DirectoryName.CN=Name,DC=Domain,DC=com
• URL.The URL of a host, such as this example: http://computer07.contoso.com/index.html
• IPAddress.An IP address
• RegisteredID.ID in dotted decimal notation, such as this example: 1.2.3.4.5
• GUID.A globally unique ID, such as this example: f7c3ac41-b8ce-4fb4-aa58-3d1dc0e36b39

Specifies the type of certificate that this cmdlet creates.The acceptable values for this parameter are:

• CodeSigningCert
• Custom
• DocumentEncryptionCert
• DocumentEncryptionCertLegacyCsp
• SSLServerAuthentication (default)

Shows what would happen if the cmdlet runs.The cmdlet is not run.

Inputs

Microsoft.CertificateServices.Commands.Certificate

The Certificate object can either be provided as a Path object to a certificate or an X509Certificate2 object.

Outputs

System.Security.Cryptography.X509Certificates.X509Certificate2

An X509Certificate2 object for the certificate that has been created.

Related Links

Use this tutorial to help you get started with Azure Key Vault Certificates to store and manage x.509 certificates in Azure. It walks you through the process of using Azure PowerShell to create a certificate self-signed or signed by supported certificate authority, import a certificate and retrieve the certificate with or without private key to use it with an Azure application.

Estimated time to complete: 30 minutes
Note:This tutorial does not include instructions for how to write the Azure application that will consume the certificate and how to authorize this application to use certificate in the key vault.

As usual, we value your input so please take a moment to join our advisory board, send us private feedback,and/or visit our forum.

For overview information about Azure Key Vault, see What is Azure Key Vault? and Get started with Azure Key Vault

Prerequisites

To complete this tutorial, you must have the following:

• An existing key vault that you have been using.
• A pfx file stored on your hard drive.
• Azure PowerShell, minimum version of 2.1.0.

  To install Azure PowerShell and associate it with your Azure subscription, see How to install and configure Azure PowerShell. If you have already installed Azure PowerShell and do not know the version, from the Azure PowerShell console, type (Get-Module azure -ListAvailable).Version.

This tutorial is designed for Azure PowerShell beginners who understand the basic concepts, such as modules, cmdlets, and sessions but it also assumes that you are familiar with Azure Key Vault and have gone through Get started with Azure Key Vault.

Start an Azure PowerShell session and sign in to your Azure account with the following command:

In the pop-up browser window, enter your Azure account user name and password. Azure PowerShell will get all the subscriptions that are associated with this account and by default, uses the first one. If you have multiple subscriptions, you might have to specify a specific one that was used to create your Azure Key Vault. Type the following to see the subscriptions for your account:

Then, to specify the subscription that's associated with your key vault, type:

For more information about configuring Azure PowerShell, see How to install and configure Azure PowerShell.

In our first getting started tutorial, our key vault name was ContosoKeyVault, so we'll continue to use that name and store the details into a variable named vaultName and also set the name for certificate created in the end as ContosoFirstCertificate

A newly created Key Vault by default has following permissions set for the creator of the vault:

Keys: get, create, delete, list, update, import, backup,
Secrets: 'all'
Certificates: ‘all’

A vault which was created before the introduction of certificates won’t have any permissions. And in this exercise we are using a previously created key vault and hence, the user would need to set explicit permissions. Type following to give permissions for all operations:

PermissionsToCertificates can also be set selectively by allowing only certain operations on the certificates. The list of operations on which permissions can be set are ‘Get, Delete, List, Create, Import, ManageContacts, GetIssuers, ListIssuers, SetIssuers and ‘all’.

Import an existing certificate to key vault

To import an existing certificate, you must have the certificate in a .PFX or PEM file format. If necessary, export an installed certificate with the private key (.PFX format) and a strong password, and save your certificate to your C: drive in a file named clientcert.pfx that you want to upload to Azure Key Vault. Type the following to set the variable securepfxpwd for a password of 123 for the .PFX file:

Then type the following to import the certificate from the .PFX file, which imports the certificate and monitors the lifetime of the certificate in the Key Vault service:

You can now reference this certificate that you created or uploaded to Azure Key Vault, by using its URI. Use https://ContosoKeyVault.vault.azure.net/certificates/ContosoFirstCertificate to always get the current version, and use https://ContosoKeyVault.vault.azure.net/certificates/ContosoFirstCertificate/24bb21dacfad4f178e3d00e9dd54c034 to get this specific version.
If you want to retrieve the pfx back i.e. the private key of the certificate then you use https://ContosoKeyVault.vault.azure.net/secrets/ContosoFirstCertificate to get the current version and use
https://ContosoKeyVault.vault.azure.net/secrets/ContosoFirstCertificate/24bb21dacfad4f178e3d00e9dd54c034

Create a self-signed certificate in key vault

To create certificates in key vault you will first create the certificate policy.

Type following to add a Self-Signed Certificate and use the above policy to be applied to create the certificate

Enroll programmatically from Public CA (Certificate Authority)

Azure Key Vault supports enrollment of certificates from Public CA such as DigiCert, and GlobalSign. Azure Key Vault goes on behalf of the user to enroll for certificates from one of the above issuers. In this process Issuer needs to authenticate the entity requesting the certificate and also authorize to receive the requested certificate. Each Issuer requires different set of information to do so and this needs to be set once in the Key Vault.

If you select DigiCert to be your certificate authority or Issuer to issue certificates then go through these one-time setup steps to configure DigiCert as one of the Issuer in your vault.

Note: Customer will need to have an existing account or go here to create one with DigiCert and get domains pre-vetted

If you select GlobalSign to be your Issuer then go through these one-time setup steps to configure GlobalSign as one of the Issuer in your vault.

Note: Customer will need to have an existing account or go here to create one with GlobalSign and get your domains pre-vetted

Create the certificate policy similar to creating the template that defines what needs to be in the certificate (SubjectName, SAN etc.), when to renew the certificate and from which Issuer the certificate is to be issued.

Request for a certificate based on the above set policy

Certificate enrollment in Key Vault is an asynchronous process. The Add-AzureKeyVaultCertificate will return back an operation object which will indicate the status of enrollment. You can poll the creation of Certificate till the status is returned as complete.

Once the certificate is created you can view at the newly issued certificate details by following cmdlet

Create a certificate manually and get signed by a CA

Powershell Get Certificate Information

Azure Key Vault supports to create the certificate signing request with private-public key pair and get it signed by any Certificate Authority of your choice. It could be internal enterprise CA or external public CA.

First create the certificate policy. Key Vault will not enroll or renew the certificate from the Issuer on behalf of the user as CA chosen in this scenario is not a supported one and hence the IssuerName is set to Unknown.

Create the certificate signing request

The $certificateOperation.CertificateSigningRequest is the base4 encoded certificate signing request for the certificate. You can take this blob and dump into Issuer’s certificate request website or use tools such as certreq or openssl to get the certificate request signed and complete the process of generating a certificate.

After the certificate request has been signed by the Issuer, you can bring back the signed certificate usually a file with .cer extension and merge it with the initial private-public key created in Azure Key Vault

Retrieve pfx file & add password back

A typical scenario is that the application would need to pull the pfx of the certificate to the machine where it is going to consume the certificate. Here is an example on how an application can retrieve the pfx from Azure Key Vault to consume it.

If the certificate file needs to be stored on the hard disk then it is good practice to encrypt it with a password.

Get public portion of Certificate from Certificates Endpoint

Type following to retrieve the certificate or the public portion and store in a file with *.cer extension.

Listing all the certificates from the management endpoint

Powershell Extract Certificate Private Key

For management purposes, you would want to know the certificates in your key vault and related information about it. You would retrieve these information by running following queries as below:

Powershell Export Private Key

Azure Key Vault certificates are auto renewed as per the configured certificate policy. Certificate policy is set to either say how many days before expiry do you want to renew the certificate or at what percentage of the lifetime of the certificate. And the policy also needs to have the Issuer value set to a supported Certificate Authority. In case where Certificate Authority needs authorization and authentication details then those should be set while adding the Issuer to the key vault.

Auto-renewal of certificates can fail due to misconfigured values or it can fail due to lack of funds and at times lack of incomplete vetting of domains. In any of the cases the Azure Key Vault Certificate Contact gets notified with the error message. You can choose to rectify the misconfigured values or add the required funds to your contract so that Azure Key Vault can go ahead and re-attempt the renewal. There will be few instances where Azure key Vault will notify the customer that it is better to manually enroll for the certificate mainly when it is very close to expiry. In such cases, you should go through and add a certificate using one of the above options.

Powershell Create Certificate With Private Key

Few other commands that you might find useful for managing Azure Key Vault Certificate are:

Powershell Generate Certificate With Private Keys

• Add-AzureKeyVaultCertificateContact -VaultName $vaultName -EmailAddress 'patti.fuller@contoso.com” The Add-AzureKeyVaultCertificateContact cmdlet adds a contact to an Azure Key Vault for certificate notifications. The contact receives updates about events such as certificate close to expiry, certificate renewed, and so on. These events are determined by the certificate policy.
• Stop-AzureKeyVaultCertificateOperation -VaultName $vaultName -Name $certificateName –Force This cmdlet cancels the certificate operation in process on the $certificateName object.
• Remove-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName Example how to remove a specific certificate.

Powershell Generate Certificate With Private Key West

For a list of the latest Azure PowerShell Certificate cmdlets for Azure Key Vault, see Azure Key Vault Cmdlets
For programming references, see the Azure Key Vault developer's guide.