Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, April 6, 2016 9:47 PM
In a handful of instances (LDAP over SSL most commonly [ref. http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx\]) you may find yourself needing to import a PFX or P12 file into a service account location, such as NTDS\Personal.
To successfully import the PFX you will need to be on the actual server on which you want to import the file. If you attempt to import the PFX remotely you get the following error message: " Importing a .pfx or .p12 file to a remote certificate store is not supported."
Normally you can simply log into that server and add the PFX via the MMC Certificates snap-in. Unfortunately, you cannot do this if you are running Server Core. Intuitively you may try a certutil command such as: certutil -f -service -importpfx "NTDS\Personal" CERTNAME.pfx. You will find that all you get is an error message indicating that -service is an unexpected parameter.
Here is what you can do to successfully import that pesky PFX into the NTDS location. In this example we will assume that you want to import the certificate into the NTDS\Personal store on your Server Core Domain Controller:
1. On your Server Core Domain Controller, import the PFX file into your local computer personal store: certutil -importpfx MYCERTNAME.pfx
2. Dump the local computer personal store: certutil -store my
3. Find the certificate that you imported based on the Template name and NotBefore and NotAfter attribures in the output
4. Make a note of the Cert Hash (also known as the 'Thumbprint'). In this example we will be using 4d625a11ae1af2beb0275495c7d10cd56a1c5a13
Note: The registry now contains the certificate in the following location: HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\4d625a11ae1af2beb0275495c7d10cd56a1c5a13
5. Export the registry key to a file: reg export HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\4d625a11ae1af2beb0275495c7d10cd56a1c5a13 FILENAME.reg
6. Move the FILENAME.reg file to a machine where you can edit it on Notepad
7. Make the following changes to the top/header of the FILENAME.reg file in Notepad:
Change:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\4d625a11ae1af2beb0275495c7d10cd56a1c5a13]
to:
[HKLM\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates\4d625a11ae1af2beb0275495c7d10cd56a1c5a13]
This is the registry path to the NTDS\Personal store
8. Save the changes
9. Move the FILENAME.reg file back to the Server Core Domain Controller
10. Import the FILENAME.reg file back in to the registry: regedt32 /s FILENAME.reg
11. Delete the certificate from the Local Computer Personal Store: certutil -delstore My 4d625a11ae1af2beb0275495c7d10cd56a1c5a13
12. Now to make the certificate to appear in the NDTS\Personal store. Force Active Directory to rebind to the certificate by rebooting the DC.
All replies (3)
Thursday, August 4, 2016 8:40 PM
Step 10 is not working. Registry editor indicates that import was successful, but neither the key or certificate data appear under the ...\NTDS\SystemCertificates\My\Certificates key. Any ideas?
Server 2012R2 Core
[HKLM\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates\BF02E05EF682461ECD53752875B8D02A98B05A4F]
"Blob"=hex:
Wednesday, November 15, 2017 3:05 PM | 2 votes
Hello you can use this little powershell script to import a pfx and move it to an other store.
$mypwd = Read-Host "Enter Password for PFX-File" -AsSecureString
$cert = Import-PfxCertificate -Password $mypwd -FilePath "C:\temp\fuu.pfx" cert:\localMachine\my
Move-Item "HKLM:\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\$($cert.Thumbprint)" "HKLM:\SOFTWARE\Microsoft\Cryptography\Services\[ServiceName]\SystemCertificates\MY\Certificates\"
Wednesday, August 7, 2019 8:48 AM
I just came here to say thanks to HiroWat for taking the time to post a solution for others to find - this was exactly the problem I encountered when attempting to import a PFX onto my Server Core DC for LDAPS.
And thanks to _TWX_ for an even easier solution. It worked perfectly. A note to others, just make sure when pasting _TWX_'s commands, that you edit the last line and replace "[ServiceName]" with "NTDS"