Scripting Advice on Win Server 2016

Hi,

I have CTW running just fine with IIS though I would like to use the certs for FileZilla and also my small email server.

I have read that the certs and held within a pfx file in the “C:\Users\Administrator\Documents\SSL_Certs” folder

I did find a small instruction in this forum for FileZilla and aslo for extracting the certs inside the pfx but I can’t get it to work.
My locations are…
OpenSSL is located at - C:\Program Files\OpenSSL-Win64
Where the pfx file is located - C:\ProgramData\Certify\certes\assets\pfx
Where I want to store the extracted cert files - C:\Users\Administrator\Documents\SSL_Certs
CTW installed at C:\Program Files\CertifyTheWeb

Here is the powershell script
# required to access the $result parameter
param($result)

# Alias to your OpenSSL install
**set-alias ossl “C:\Program Files\OpenSSL-Win64\bin\openssl” **

# set PFXFILEPATH in Enviro Variables to C:\ProgramData\Certify\certes\assets\pfx
# set PRIVATEKEYPATH in Enviro Variables to "C:\Users\Administrator\Documents\SSL_Certs
# set CERTPATH in Enviro Variables to "C:\Users\Administrator\Documents\SSL_Certs
ossl pkcs12 -in %PFXFILEPATH% -nocerts -nodes -passin pass: -out %PRIVATEKEYPATH%
ossl pkcs12 -in %PFXFILEPATH% -chain -nokeys -nodes -passin pass: -out %CERTPATH%

# Update keypath to where your keys will be saved and their names.
$keypath = "C:\Users\Administrator\Documents\SSL_Certs"
$key = $keypath + "letsencrypt.key"
$rsakey = $keypath + "letsencrypt_rsa.key"
$pem = $keypath + "letsencrypt.pem"

# Get the latest PFX file path
$pfx = $result.ManagedItem.CertificatePath

# Create the Key, RSA Key, and PEM file. Use the RSA Key & PEM for FileZilla
ossl pkcs12 -in $pfx -out $key -nocerts -nodes -passin pass:
ossl rsa -in $key -out $rsakey
ossl pkcs12 -in $pfx -out $pem -nokeys -clcerts -passin pass:

Any ideas why it does not work.
Thanks

Hi, you mention that you can’t get it to work - does it just not create the file where you expect it? Can you run the script manually from the PowerShell ISE and replace the $result.ManagedItem.CertificatePath with the actual path to a sample pfx? Can the app write to the output path or does that folder need special permissions (the background service runs as Local System).

Be careful with double-quotes that are copied from things that like to mangle them. This text contains \u201C and \u201D. A standard double-quote is \u0022. Maybe PowerShell doesn’t care, but I would not risk it.

Are you actually setting the environment variables listed in the comments? I don’t think you’d be able to set the PFXFILEPATH variable correctly as it is dynamic. Also, what’s the point of doing the conversion here and down below separately? I would advise removing this section and only do the conversion down below that uses the $pfx variable.


Lastly, this may or may not be a problem… but your PEM only has the immediate client certificate. Some clients need more help in the form of the entire certificate chain. Consider replacing the -clcerts flag with -chain. I don’t think it will hurt anything to include more.

The good news is that the next version of the app will have this type of thing (export in various formats to the location of your choice, even remote windows/linux etc) available as a deployment step with a UI to go with it. The bad news it’s that release is probably still a couple of months away.