Hi All,
My name is amry and beginner using let's encrypt. How to export the private key on window, because when is use mmc. The Note at certificate export wizard said "the assiciated private key is marked as not exportable. Only the sertificate can be exported"
Need help from your expertise. Thanks
Microsoft Management Console?
Please share some more information...
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I suspect a lot depends on what program/process you used to get the certificate into the Microsoft certificate store, and what system you're actually trying to get it into via exporting it. It's likely that going through this export process in mmc is the most convoluted way to do what you're actually trying to accomplish. You should be able to set up your ACME client to deploy your keys and certificates wherever you actually need them.
Hello Rip,
My domain is: license-mispark.mimos.my
I ran this command: & It produced this output:
A simple Windows ACMEv2 client (WACS)
Software version 2.2.6.1571 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task not configured yet
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options...
Q: Quit
Please choose from the menu: N
Running in mode: Interactive, Simple
Source plugin IIS not available: No IIS sites detected.
Please specify how the list of domain names that will be included in the
certificate should be determined. If you choose for one of the "all bindings"
options, the list will automatically be updated for future renewals to
reflect the bindings at that time.
1: Read bindings from IIS
2: Manual input
3: CSR created by another program
C: Abort
How shall we determine the domain(s) to include in the certificate?: 2
Description: A host name to get a certificate for. This may be a
comma-separated list.
Host: license-mispark.mimos.my
Source generated using plugin Manual: license-mispark.mimos.my
Installation plugin IIS not available: No IIS sites detected.
With the certificate saved to the store(s) of your choice, you may choose one
or more steps to update your applications, e.g. to configure the new
thumbprint, or to update bindings.
1: Create or update bindings in IIS
2: Start external script or program
3: No (additional) installation steps
Which installation step should run first?: 3
Plugin Manual generated source license-mispark.mimos.my with 1 identifiers
Plugin Single created 1 order
[license-mispark.mimos.my] Authorizing...
[license-mispark.mimos.my] Authorizing using http-01 validation (SelfHosting)
[license-mispark.mimos.my] Authorization result: valid
Downloading certificate [Manual] license-mispark.mimos.my
Store with CertificateStore...
Installing certificate in the certificate store
Adding certificate [Manual] license-mispark.mimos.my @ 2024/1/9 to store WebHosting
Adding Task Scheduler entry with the following settings
N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (1 total)
O: More options...
Q: Quit
Please choose from the menu:
My web server is (include version): Version 2.24g
The operating system my web server runs on is (include version): window server 2019 standard
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): i dont know
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
Hi petercooperjr,
My web server cannot use certificates in Window's certificate store directly.
I need to export and convert the certificate first following step bellow
Steps:
1.) Export certificate to pfx file (including private key)
2.) Extract private key: openssl pkcs12 -in [yourfile.pfx] -nocerts -out Server_.rsa.key
3.) Extract certificate: openssl pkcs12 -in [yourfile.pfx] -nokeys -out Server.rsa.crt
4.) Convert private key file: openssl rsa -in Server_.rsa.key -out Server.rsa.key -traditional
I'm guessing that you can configure WACS to just give you those files directly rather then trying to go through the Windows certificate store. Or if you can't, then you could easily switch to a different ACME client that can.
Here is a link to help you ACME Client Implementations - Let's Encrypt
win-acme took the time to secure that cert into the windows certificate store and now you want to export it from where it should not be exported. You are going about your solution all wrong.
You need to tell win-acme to renew the cert and save it as .pem files.
Then you can use those .pem files as you wish.
OR [as already mentioned]
You can get another Windows ACME client that might be able to automatically install the cert directly into whatever web service you need. [Have a look at: https://certifytheweb.com/]
For info, if you did try to create your cert in Certify The Web instead you would add a Deploy to Generic Server task to get the files you need. That task is just a rebranded version of our Deploy to Apache task, the docs for which are here: Deployment Task - Deploy to Apache | Certify The Web Docs
Note that when you do get your files exported and your new service pointing at them you generally also need to restart the service that's using the files so it picks up the latest.
To just use win-acme you should see their instructions for Apache (which are also the same for most things that want pem files): win-acme
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
