{"id":77141,"date":"2016-02-18T00:01:29","date_gmt":"2016-02-18T00:01:29","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/?p=77141"},"modified":"2019-02-18T09:19:50","modified_gmt":"2019-02-18T16:19:50","slug":"migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-4","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-4\/","title":{"rendered":"Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 4"},"content":{"rendered":"<p><strong>Summary<\/strong>: Thomas Rayner, Microsoft Cloud &amp; Datacenter Management MVP, shows how to import a certificate into a KSP and bring it into the certificate store.<\/p>\n<p>Hello! I\u2019m Thomas Rayner, a proud Cloud &amp; Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. You can find me on Twitter (<a href=\"https:\/\/twitter.com\/MrThomasRayner\">@MrThomasRayner<\/a>) or on my blog, <a href=\"http:\/\/workingsysadmin.com\/\" target=\"_blank\">Working Sysadmin: Figuring stuff out at work<\/a>.<\/p>\n<p>I recently had the chance to work with Microsoft PFE, Mike MacGillivray, on an upgrade of some Windows certification authorities, and I want to share some information about it with you. This script has only been tested on Windows Server 2012 and later.<\/p>\n<p><strong>\u00a0 Note<\/strong>\u00a0\u00a0\u00a0This is a five-part series that includes the following posts:<\/p>\n<ul>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/15\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-1\/?preview=true&amp;preview_id=76801&amp;preview_nonce=34b8f8d799&amp;post_format=standard\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 1<\/a>\nExplore why you may need to perform this work, configure logging, and set up variables.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/16\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-2\/\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 2<\/a>\nBack up your certification authority (CA) and test the script.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/17\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-3\/\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 3<\/a>\nDelete the certificate and crypto provider so they can be rebuilt as a KSP and SHA-256 solution.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/18\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-4\/\" target=\"_blank\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 4<\/a>\nImport keys and certificate into a KSP.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2016\/02\/19\/migrate-windows-ca-from-csp-to-ksp-and-from-sha-1-to-sha-256-part-5\/\">Migrate Windows CA from CSP to KSP and from SHA-1 to SHA-256: Part 5<\/a>\nModify the registry for SHA-256.<\/li>\n<\/ul>\n<h2>Bring it back, please<\/h2>\n<p>Yesterday we deleted some important items. Today we\u2019re bringing them back in a happier, more future-proof way. There are only three steps today, but they\u2019re pretty important. The first step is to restore the certification authority (CA) certificate and keys into KSP:<\/p>\n<p style=\"padding-left: 30px\">cmd.exe \/c &#8220;certutil -p $Password -csp `&#8221;Microsoft Software Key Storage Provider`&#8221; -importpfx `&#8221;$(&#8220;$Drivename\\$Foldername\\$CAName.p12&#8243;)`&#8221;&#8221;<\/p>\n<p style=\"padding-left: 30px\">Add-LogEntry $Logpath &#8216;Imported CA cert and keys into KSP&#8217;<\/p>\n<p>This is a <strong>certutil<\/strong> command to restore the PFX we backed up in Part 2 into a Microsoft Software Key Storage Provider. I\u2019m using the <strong>\u2013p<\/strong> parameter to pass the password we used to perform the backup.<\/p>\n<p>Now that I\u2019ve restored into KSP, I can export the key from there so I can import the key itself:<\/p>\n<p style=\"padding-left: 30px\">cmd.exe \/c &#8220;certutil -exportpfx -p $Password My $(&#8220;$CAName&#8221;) `&#8221;$(&#8220;$Drivename\\$Foldername\\NewCAKeys.p12&#8243;)`&#8221;&#8221;<\/p>\n<p style=\"padding-left: 30px\">Add-LogEntry $Logpath &#8216;Exported keys so they can be installed on the CA&#8217;<\/p>\n<p>Using <strong>certutil<\/strong> again, I\u2019m exporting a PFX that is protected by the same password to NewCAKeys.p12 in my working directory. I can use <strong>certutil<\/strong> again to restore the key into the CA.<\/p>\n<p style=\"padding-left: 30px\">cmd.exe \/c &#8220;certutil -p $Password -restorekey `&#8221;$(&#8220;$Drivename\\$Foldername\\NewCAKeys.p12&#8243;)`&#8221;&#8221;<\/p>\n<p style=\"padding-left: 30px\">Add-LogEntry $Logpath &#8216;Restored keys into CA&#8217;<\/p>\n<p>I\u2019m going to wrap this in a Try\/Catch block and add more logging:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-2-18-16-1.png\"><img decoding=\"async\" class=\"alignnone size-medium wp-image-77143\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-2-18-16-1-300x69.png\" alt=\"Image of code\" width=\"300\" height=\"69\" \/><\/a><\/p>\n<p>Almost done! Now that I\u2019ve got you operating a KSP instead of a CSP, tomorrow, I\u2019m going to show you how to move from SHA-1 to SHA-256.<\/p>\n<p>If you are in a big hurry and want the full script, you can find it on my blog: <a href=\"http:\/\/www.workingsysadmin.com\/quick-script-share-upgrade-windows-certificate-authority-from-csp-to-ksp-and-from-sha-1-to-sha-256\/\" target=\"_blank\">Upgrade Windows Certification Authority from CSP to KSP and from SHA-1 to SHA-256<\/a>. I\u2019d sincerely recommend reading all of the posts in this series first, though, so you understand what it is you\u2019re running.<\/p>\n<p>~Thomas<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. Also check out my <a href=\"https:\/\/blogs.technet.microsoft.com\/msoms\/\" target=\"_blank\">Microsoft Operations Management Suite Blog<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><strong>Ed Wilson, Microsoft Scripting Guy<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Thomas Rayner, Microsoft Cloud &amp; Datacenter Management MVP, shows how to import a certificate into a KSP and bring it into the certificate store. Hello! I\u2019m Thomas Rayner, a proud Cloud &amp; Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. You can find me on Twitter (@MrThomasRayner) or on my [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[568],"tags":[217,56,3,63,652,45],"class_list":["post-77141","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hey-scripting-guy","tag-certificates","tag-guest-blogger","tag-scripting-guy","tag-security","tag-thomas-rayner","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Thomas Rayner, Microsoft Cloud &amp; Datacenter Management MVP, shows how to import a certificate into a KSP and bring it into the certificate store. Hello! I\u2019m Thomas Rayner, a proud Cloud &amp; Datacenter Management Microsoft MVP, filling in for The Scripting Guy this week. You can find me on Twitter (@MrThomasRayner) or on my [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/77141","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=77141"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/77141\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=77141"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=77141"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=77141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}