Generate certificate for Microsoft Powerapps

Help
1

Hi, I need to generate an SSL certificate with these requirements: Add custom certificates | Microsoft Learn

I'll list them here also:

  • Signed by a trusted certificate authority ( This should be fine, it was signed by LE )
  • Exported as a password-protected PFX file. ( It has a password )
  • Contains private key at least 2048 bits long ( openssl rsa -in privkey.pem -text -noout says Private-Key: (2048 bit, 2 primes))
  • Contains all intermediate certificates in the certificate chain ( NOT SURE )
  • Must be SHA2 enabled; SHA1 support is being removed from popular browsers ( openssl rsa -in privkey.pem -text -noout says Signature Algorithm: sha256WithRSAEncryption )
  • PFX file must be encrypted with TripleDES encryption; Power Pages doesn't support AES-256 encryption ( NOT SURE )
  • Contains an Extended Key Usage for server authentication (OID = 1.3.6.1.5.5.7.3.1). ( NOT SURE )

What I did:

sudo certbot certonly --manual --preferred-challenges dns -d subdomain.domain.com
openssl pkcs12 -export -inkey privkey.pem -in fullchain.pem -out certificate.pfx

But when importing I get an "Server error", so something must be wrong.

My question is, this, with the way I generated the PFX, does it have does requirements?

I tried to add -des3 to the openssl command but it sais Warning: output encryption option -des3 ignored with -export
My guess is that's what is missing, the TripleDES encryption, but I can't figure out how to do it using openssl.

2

Well, it'd be more helpful if it could tell you what was wrong.

If you actually need it to be an RSA key, then you should add --key-type RSA to your certbot command. Certbot (and most of the rest of the world) has moved on to ECDSA being the default.

Hmm. Did it prompt you for a password when doing the export? If so, I would expect that it would have been what you were looking for.

Really, though, this whole process of manually updating things and converting formats is probably the most convoluted way of doing what you're looking for. It should be possible to have whatever system you're trying to secure request the certificates itself, or use some software that already knows how to integrate with it. I haven't used that system myself, but in general I thought Microsoft "cloud" systems could handle managing their own certificates.

3 Likes
3

Really, though, this whole process of manually updating things and converting formats is probably the most convoluted way of doing what you're looking for. It should be possible to have whatever system you're trying to secure request the certificates itself, or use some software that already knows how to integrate with it. I haven't used that system myself, but in general I thought Microsoft "cloud" systems could handle managing their own certificates.

Haha, my thoughts exactly, but no, they manage the SSL with their domains, if you want to add your own, they ask for a PFX certificate. I don't know why, it's such a pain.

Well, it'd be more helpful if it could tell you what was wrong.

All it says is SSL binding record could not be create because of a Server error. Please try again.

If you actually need it to be an RSA key, then you should add --key-type RSA to your certbot command. Certbot (and most of the rest of the world) has moved on to ECDSA being the default.

Requirement says Contains private key at least 2048 bits long, I don't see anything about RSA though.

Hmm. Did it prompt you for a password when doing the export? If so, I would expect that it would have been what you were looking for.

Yes it did

openssl pkcs12 -export -inkey privkey.pem -in fullchain.pem -out certificate.pfx -des3
Warning: output encryption option -des3 ignored with -export
Enter Export Password:

4

Well, ECDSA keys aren't that long, so it's likely that they're only thinking of RSA when they say that.

It may be that your openssl is too new to support 3DES, since it's not really considered strong for a long time now.

NIST recommends it no longer be used entirely as of the end of this year (coming up fast), see page 7 of this report published a few years ago, where it's called TDEA.

3 Likes
5

All LE certs contain:
image

2 Likes
6

I found this in openssl documentation

-descert
Encrypt the certificates using triple DES. By default the private key and the certificates are encrypted using AES-256-CBC unless the ‘-legacy’ option is used. If ‘-descert’ is used with the ‘-legacy’ then both, the private key and the certificates are encrypted using triple DES.

I have tried the key from below and sais The password entered is incorrect or the encryption method used by the certificate is not supported.. So this one is worse than the other one, at least there it let me get over entering the password. Maybe because it's not SHA2?

sudo certbot certonly --key-type rsa --manual --preferred-challenges dns -d subdomain.domain.com
openssl pkcs12 -descert -legacy -export -inkey privkey.pem -in fullchain.pem -out certificate.pfx

NIST recommends it no longer be used entirely as of the end of this year (coming up fast), see page 7 of this report published a few years ago, where it's called TDEA.

I'm waiting for Microsoft to wake up

7

Is the cert type RSA?
You can check easily with the output of:
certbot certificates

That may take a while!
LOL

2 Likes
8

Renewal configuration file /etc/letsencrypt/renewal/subdomain.domain.com.conf produced an unexpected error: '_RSAPublicKey' object has no attribute 'verifier'. Skipping.

When I run certbot certificates

// If it was by me, I would not go for Microsoft ever.

9

How did you install Certbot and what system is it running on?

Does this show anything?

sudo certbot --version
2 Likes
10

certbot --version
certbot 1.21.0

I'm on Linux Mint.
Today I did apt purge cerbot and apt install certbot, if it matters, I wanted to clear /etc/letsencrypt folder.

11

Hmm. Might be affected by this.

Your 1.21 is pretty old. Are you able to install snap version on that Linux? Or even a pip/venv setup to get more current?

5 Likes
12

Thanks, did not know it was that old, did install on snap

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Key Type: RSA

1 Like
13

sudo certbot certonly --key-type rsa --manual --preferred-challenges dns -d domain.com

openssl rsa -in privkey.pem -text -noout
Private-Key: (2048 bit, 2 primes)

openssl pkcs12 -descert -legacy -export -inkey privkey.pem -in fullchain.pem -out certificate.pfx
Enter Export Password:

certbot certificates
Key Type: RSA

  • Signed by a trusted certificate authority ( Done )
  • Exported as a password-protected PFX file. ( Done )
  • Contains private key at least 2048 bits long ( Done )
  • Contains all intermediate certificates in the certificate chain ( Done )
  • Must be SHA2 enabled; SHA1 support is being removed from popular browsers ( Not done!? )
  • PFX file must be encrypted with TripleDES encryption; Power Pages doesn't support AES-256 encryption ( Done I guess, I used -descert -legacy )
  • Contains an Extended Key Usage for server authentication (OID = 1.3.6.1.5.5.7.3.1). ( Done, @rg305 said all LE have it )

That would leave only SHA2? I don't know if it is possible to check from the files.

14

If I'm understanding the openssl options properly (which I might not be), -descert encrypts the certificate in addition to the private key. Not sure if that's what your requirements are looking for or not.

SHA1 support in certificates ended a long time ago; you assuredly have an SHA2 certificate.

3 Likes
15

I found out the problem, it had nothing to do with openssl.

Have created the certificate like this:

certbot certonly --key-type rsa --manual --preferred-challenges dns -d domain.com
openssl pkcs12 -export -inkey privkey.pem -in fullchain.pem -out certificate.pfx

Problem was that when I tried to upload it from the browser, the certificate was owned by root, after changing the ownership it worked.

Then, of course I activated their CDN and there was no need for all this because it takes care of the SSL :neutral_face:

Thank you so much for your help.
Have a good day!

2 Likes
16

As an aside you can also generate one of these using https://certifytheweb.com quite easily (no scripting or command line) if you use the DNS validation option, you just need to set your preferred PFX password under Certificate > Advanced > Signing & Security, all the other defaults will match and the output is PFX. You can add an Export Certificate task to copy the PFX to wherever you want it.

SHA2 is typically anything that's not SHA1, most apps will generate SHA 256 or higher by default when generating a PFX. The TripleDES vs AES-256 (private key encryption algorithm) thing is surprisingly nuanced as some versions of windows will only cope with TripleDES.

5 Likes
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.