Help needed with cmdlet New-SelfSignedCertificate, missing Authority Key Identif

Welcome Forums General PowerShell Q&A Help needed with cmdlet New-SelfSignedCertificate, missing Authority Key Identif

Viewing 4 reply threads
  • Author
    Posts
    • #139138
      Participant
      Topics: 2
      Replies: 1
      Points: 27
      Rank: Member

      I am trying to make self certificate without the prompt, c:\Program Files (x86)\Microsoft Office\root\Office16\selfcert.exe does prompt for a name …. I am using the powershell cmdlet New-SelfSignedCertificate but looking at the extensions yhe result seems to be missing the Authority Key Identifier?

      Original created using selfcert.exe shows:

      PS C:\> gci cert:\CurrentUser\My | ?{ $_.Subject -eq "CN=XAVIER"} | %{ $_.extensions | %{ $_.oid | fl *} }

      Value : 2.5.29.37
      FriendlyName : Enhanced Key Usage

      Value : 2.5.29.1
      FriendlyName : Authority Key Identifier

       

      Mine created using powershell cmdlet shows:

      PS C:\> gci cert:\CurrentUser\My | ?{ $_.Subject -eq "CN=XAVIER_TEST"} | %{ $_.extensions | %{ $_.oid | fl *} }Value : 2.5.29.37
      FriendlyName : Enhanced Key Usage

      Can the Authority Key Identifier be added and if so how?

      Thanks

      Xavier

      The code I used so far

      $saved_location = $PSScriptRoot
      Set-Location -Path cert:\CurrentUser\My
      $name="XAVIER_TEST"
      $thisyear= get-date -format "yyyy"
      $not_before = (new-object System.DateTime $thisyear, 1, 1)
      $not_after = ($not_before).addyears(6)

      New-SelfSignedCertificate -CertStoreLocation cert:\currentuser\my `
      -DnsName "$name" `
      -KeyAlgorithm RSA `
      -HashAlgorithm SHA1 `
      -KeyLength 1024 `
      -Provider "Microsoft Software Key Storage Provider" `
      -KeyExportPolicy Exportable `
      -KeyUsage None `
      -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3") `
      -NotAfter $not_after -NotBefore $not_before `
      -SuppressOid @("2.5.29.14","2.5.29.17")`
      -Type Custom

      Set-Location -Path $saved_location

       

    • #139282
      Participant
      Topics: 2
      Replies: 1000
      Points: 1,964
      Helping Hand
      Rank: Community Hero

      As to the AKI, I've never come across a reason to use it with Self-signed certs, but in PKI root cert sure.
      There is nothing native in PS to add this. For a self-signed certificate, the Authority Key Identifier will either be absent or have the same value as the Subject Key Identifier.

      You can do this using OpenSSL tools though, mean adding the AKI to the cert, or so I've been told – though I've not tried to. Yet, your code does not hint that you are using a CA for this use case.

      You can also use C# via Mono to create the cert and ad in the AKI as well.

      Both the MS SSC tools selfcert / makecert leaves out the AKI, by design. Yet, since the AKI purpose as per …

      https://www.alvestrand.no/objectid/2.5.29.35.html

      ...is used to identify “the public key to be used to verify the signature on this certificate”. That is: it should basically be the issuer's public key. Authority Key Identifier which provides information to correctly bind CRL issuer certificate among candidates, CRL Number and Issuing Distribution Point extensions. Of course there is no CRL/DP for SSC.

      Even the RFC says...

      RFC3280 states in section 4.2.1.1 (emphasize mine):
      https://tools.ietf.org/html/rfc3280#section-4.2.1.1

      The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction.

      There is one exception; where a CA distributes its public key in the form of a "self-signed" certificate, the authority key identifier MAY be omitted.

      The signature on a self-signed certificate is generated with the private key associated with the certificate's subject public key.

      (This proves that the issuer possesses both the public and private keys.) In this case, the subject and authority key identifiers would be identical, but only the subject key identifier is needed for certification path building.

      Are you saying you created your own local CA, and this is part of this use case?

    • #139285
      Participant
      Topics: 2
      Replies: 1
      Points: 27
      Rank: Member

      What I want in fact is to have the possibility to generate a self certificate same way like selfcert.exe but without the interactive popup prompting for a name … so I will be able to automate the process … I noticed that when using cmdlet New-SelfSignedCertificate and comparing the output with the resulting output of selfcert.exe that in case of New-SelfSignedCertificate  the Authority Key Identifier extension seems to be missing … Hence my question

       

       

    • #139359
      Senior Moderator
      Topics: 8
      Replies: 1123
      Points: 3,831
      Helping Hand
      Rank: Community Hero

      Then you hero here will be openssl.exe . That guy supports almost everything. It can take the attributes in a .cfg file and is automatable.

    • #139429
      Participant
      Topics: 2
      Replies: 1000
      Points: 1,964
      Helping Hand
      Rank: Community Hero

      You are going to get prompted with those tools, by design.
      You have to do additional UI automation to deal with that dialog, i.e. SendKeys (which is just kind of hack'y, but does have it's place or use other GUI tools, Selenium, UIAutomation, WASP, AutoIT, etc...) while trapping the handle to the dialog prompt.
      Again, as for the AKI add, you cannot do that with any of those tools.


      As I and kvprasoon is saying, you need to use opensssl to do that.
      I have the links to all that in my first response.

Viewing 4 reply threads
  • The topic ‘Help needed with cmdlet New-SelfSignedCertificate, missing Authority Key Identif’ is closed to new replies.