First time BuyPass Go fails pfx export

Miesepies · November 27, 2020, 2:04pm

I decided to request a BuyPass Go certificate. The request itself went fine but the export to pfx failed:

2020-11-27 14:29:29.877 +01:00 [ERR] Certificate request process failed: System.Exception: Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine. :Can not find issuer ‘C=NO,O=Buypass AS-983163327,CN=Buypass Class 2 Root CA’ for certificate ‘C=NO,O=Buypass AS-983163327,CN=Buypass Class 2 CA 5’.

The pfx export fails because it cannot find the root certificate. The BuyPass Class 2 root is by default not in the trusted root store. Apparently this certificate is installed on first use…

So I have problem here. The certificate cannot be exported, but as long as I don’t open a BuyPass Go certificate the root won’t be available.

Is it required to include the root certificate itself in the pfx? Isn’t it enough to include just the intermediate/issueing ca certificate, just as you would on a web server?

Miesepies · November 27, 2020, 2:28pm

Just checked, the class 2 root ca is installed when a certificate from this chain is opened (been doing windows administration for a long time, but didn’t know this feature ).

Had to restart Certify and Certify service before it would find and accept the root certificate…
pfx is now correctly exported.

webprofusion · November 30, 2020, 2:45am

Out of interest, which version of Certify are you running? When the cert fails to build it should then refresh it’s cache of Root CA certs and try again.

Miesepies · November 30, 2020, 8:09am

This is with version 5.2.0.

webprofusion · December 1, 2020, 12:10am

Thanks, the ACME protocol doesn’t provide a way for us to fetch root certificates automatically, so really we need to build an API for that and build it into Certify. There are some debatable security concerns around auto installing root certs. The workaround is for people to install the root certs manually.

webprofusion · December 1, 2020, 12:12am

Regarding exports, I’ll check that out as clearly there’s something different about it. Are you using the PFX option of the Certificate Export deployment task or are you using your own script?

Miesepies · December 1, 2020, 8:11am

In this case it’s a feature of Windows itself. If I read it correctly, crypt-something.dll contains a lot of extra Microsoft trusted root certificates, which are installed in the trusted root store on the machine when required. It’s also possible to download all the root certificates from Microsoft’s update servers…

Miesepies · December 1, 2020, 8:14am

Neither, I just let Certify store the certificate in the default location (programdata\certify…).

webprofusion · December 1, 2020, 10:16am

Thanks, I was confused when you said to managed to get the certificate ok but it failed when you exported it. So it sounds like your certificate request fails at the build stage (when we verify the chain) before it gets to the point where the certificate can be copied or used for anything.

Miesepies · December 1, 2020, 10:38am

Ah sorry, I should’ve been more clear in when it failed.
Yes that is correct, it fails during building the pfx after the certificate request. But as explained, this will only happen once, since the root certificate is now added to the root store (unless you decide to delete the certificate from the trusted roots store )