How to Install a PFX Certificate through Code?

IIS

Go to IIS > Server Certificates > Export Certificate

C#

Install Certificate to Current User.

X509Certificate2 certificate = new X509Certificate2(“C:\\Certificates\\IISExported.pfx”, “Password”);
X509Store xstore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
xstore.Open(OpenFlags.ReadWrite);
xstore.Add(certificate);
xstore.Close();

Testing C#

Try getting the Certificate back.

X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindByThumbprint, certificate.Thumbprint, false);
if (col == null || col.Count == 0)
{
     Console.WriteLine(“ERROR: Certificate not found with thumbprint”);
}
else
     Console.WriteLine(“Found: ” + col[0].FriendlyName);

Create Certificates (.CER & .PFX)

Certificates provide better Authentication than Passwords.   Certificates has to be procured from Signing authorities & will be installed with application through Deployment Team.

Note However it is better for Developer to know all these – if anything screwed up can help back them.

Development Certificates

For development purposes we can use IIS Certificates.

Step 1: Create Certificate

Go to IIS > Server Certificates > Create Self-signed Certificate

image

You will get the new certificate listed as below.

image

Step 2: Export to .CER Format

Double-click on the certificate, Go to Details tab & Click Copy to File button.

Continue the wizard & You will get a .CER file output.

image

Step 3: Export to .PFX Format

Now right click on the item & click Export option.

Enter the Password & after export you will get a .PFX certificate.

image

Outputs

You can go the folder & see 2 files are created.

image

Summary

In this post we have seen how to create a certificate, export as .CER & .PFX file.

Azure Create Key Vault, Certificate & Associate using PowerShell

Following PowerShell Script will perform the following:

  • Create Azure Key Vault
  • Create Certificate
  • Create Azure App Registration
  • Associate Certificate to App Registration
  • Display the Thumbprint

PowerShell Scripts

Clear

# Set Variables
  $KeyVault = “NewKeyVaultMar2020”
  $ResourceGroup = “jp-resource-group”
$location = “East US”

$PfxFilePath = ‘YourCertificate.pfx’
  $CerFilePath = ‘C:\Certificates\YourCertificate.cer’
  $DNSName = ‘yourdns.yourdomain.com’
  $Password = ‘Password$$1!”‘
  $StoreLocation = ‘CurrentUser’
  $CertBeginDate = Get-Date
  $CertExpiryDate = $CertBeginDate.AddYears(1)

$UniqueName = New-Guid
$UniqueName -replace’-‘, ”
$UniqueName
$URL = ‘http://’ + $UniqueName

#Print
  $URL

# Connect to Azure
  Connect-AzureRmAccount

# Create Key Vault
  New-AzureRmKeyVault -Name $KeyVault -ResourceGroupName $ResourceGroup -Location $location

# Create Secret
$SecretValue = ConvertTo-SecureString $Password -AsPlainText -Force
  $Secret = Set-AzureKeyVaultSecret -VaultName $KeyVault -Name ‘SQLPassword’ -SecretValue $SecretValue
  (get-azurekeyvaultsecret -vaultName $KeyVault -name “SQLPassword”).SecretValueText

# Create Certificate
  $SecStringPw = ConvertTo-SecureString -String $Password -Force -AsPlainText
  $Cert = New-SelfSignedCertificate -DnsName $DNSName -CertStoreLocation “cert:\$StoreLocation\My” -NotBefore $CertBeginDate -NotAfter $CertExpiryDate -KeySpec Signature
  Export-PfxCertificate -cert $Cert -FilePath $PFXFilePath -Password $SecStringPw
  Export-Certificate -cert $Cert -FilePath $CerFilePath

$x509 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
  $x509.Import($CerFilePath)
  $credValue = [System.Convert]::ToBase64String($x509.GetRawCertData())
 
  $adapp = New-AzureRmADApplication -DisplayName “Your Web Application” -HomePage $URL -IdentifierUris $URL -CertValue $credValue -StartDate $x509.NotBefore -EndDate $x509.NotAfter
  $sp = New-AzureRmADServicePrincipal -ApplicationId $adapp.ApplicationId
  Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVault -ServicePrincipalName $URL -PermissionsToSecrets get,list,set,delete,backup,restore,recover,purge -ResourceGroupName $ResourceGroup

#Print Thumbprint
  $x509.Thumbprint

Execution

Open PowerShell ISE in Administrative Mode

Change the Key Vault Name to a New Unique One

Change the Resource Group Name to yours

Run the PowerShell

Enter Login Information when Prompted

image

Validation

Once successfully executed you can see the following:

  • Key Vault
  • Azure App Registration
    • Certificate

image