Summary: Thomas Rayner, Microsoft Cloud & Datacenter Management MVP, shows how to import a certificate into a KSP and bring it into the certificate store.

Hello! I’m Thomas Rayner, a proud Cloud & Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. You can find me on Twitter (@MrThomasRayner) or on my blog, Working Sysadmin: Figuring stuff out at work.

I recently had the chance to work with Microsoft PFE, Mike MacGillivray, on an upgrade of some Windows certification authorities, and I want to share some information about it with you. This script has only been tested on Windows Server 2012 and later.

  Note   This is a five-part series that includes the following posts:

• Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 1 Explore why you may need to perform this work, configure logging, and set up variables.
• Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 2 Back up your certification authority (CA) and test the script.
• Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 3 Delete the certificate and crypto provider so they can be rebuilt as a KSP and SHA-256 solution.
• Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 4 Import keys and certificate into a KSP.
• Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 5 Modify the registry for SHA-256.

Bring it back, please

Yesterday we deleted some important items. Today we’re bringing them back in a happier, more future-proof way. There are only three steps today, but they’re pretty important. The first step is to restore the certification authority (CA) certificate and keys into KSP:

cmd.exe /c “certutil -p $Password -csp `”Microsoft Software Key Storage Provider`” -importpfx `”$(“$Drivename\$Foldername\$CAName.p12″)`””

Add-LogEntry $Logpath ‘Imported CA cert and keys into KSP’

This is a certutil command to restore the PFX we backed up in Part 2 into a Microsoft Software Key Storage Provider. I’m using the –p parameter to pass the password we used to perform the backup.

Now that I’ve restored into KSP, I can export the key from there so I can import the key itself:

cmd.exe /c “certutil -exportpfx -p $Password My $(“$CAName”) `”$(“$Drivename\$Foldername\NewCAKeys.p12″)`””

Add-LogEntry $Logpath ‘Exported keys so they can be installed on the CA’

Using certutil again, I’m exporting a PFX that is protected by the same password to NewCAKeys.p12 in my working directory. I can use certutil again to restore the key into the CA.

cmd.exe /c “certutil -p $Password -restorekey `”$(“$Drivename\$Foldername\NewCAKeys.p12″)`””

Add-LogEntry $Logpath ‘Restored keys into CA’

I’m going to wrap this in a Try/Catch block and add more logging:

Almost done! Now that I’ve got you operating a KSP instead of a CSP, tomorrow, I’m going to show you how to move from SHA-1 to SHA-256.

If you are in a big hurry and want the full script, you can find it on my blog: Upgrade Windows Certification Authority from CSP to KSP and from SHA-1 to SHA-256. I’d sincerely recommend reading all of the posts in this series first, though, so you understand what it is you’re running.

~Thomas

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. Also check out my Microsoft Operations Management Suite Blog. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy