How to import an OpenSSL key file into the Windows Certificate Store

Gearoid Murphy picture Gearoid Murphy · Mar 28, 2013 · Viewed 58.9k times · Source

I've got an OpenSSL generated X.509 certificate in PEM format and it's associated key file. This certificate is required for authentication when connecting to a prototype server. This works fine on Linux. I've been using the Microsoft SChannel API to drive SSL/TLS connections on Windows platforms but I want to use the same test certificate. I can right-click on the certificate file and import it into my certificate store but I believe that the private key is not imported with it (even though I've concatenated them into the same file).

When I go to run the SChannel code, I get a 'SEC_E_NO_CREDENTIALS' error when I init the security context (via InitializeSecurityContext). I suspect this means that the private key is missing.

Does anyone know how to test the presence or absence of a private key in a certificate which is located in the Personal (or 'My') certificate store, accessed via 'certmgr.msc'?. Is it possible to import a new key file for a certificate in the store?

Any insight or advice would be much appreciated.

Answer

doptimusprime picture doptimusprime · Mar 28, 2013

To test if private key is installed for the certificate, double click the certificate icon in certmgr.msc. If it has private key, it will show a message in the property page that you have private key, otherwise it will not give any reference the the private key.

Certificate with a private key


To import the certificate with its private key, you can do the following:

  1. Pack the certificate and its private key into a PKCS #12 file or PFX file using openssl pkcs12. Here's an example.
  2. Import this PKCS #12 or PFX file into the certificate store.

Note that you may see errors when importing the pfx file, such as 'This file is invalid for use as the following: Personal Information Exchange'. This error was caused by the certificate lacking to appropriate X.509 v3 extensions (such as the usage fields (digital signature, etc))