Learn How To Automate Certificate Creation in PKCS12 on Windows, Linux, Mac from Microsoft PKI
Applications (especially Java applications) that use HTTPS (SSL/TLS) require X.509 certificates to be provided typically in a PKCS#12 (PKCS12, P12) file. This post describes how you can automatically create certificates in PKCS12 from a Microsoft PKI Certificate Authority or GlobalSign Certificate Authorities using the fully automated CertAccord Enterprise solution that not only quickly provisions the initial certificate but also automatically renews and updates the certificate prior to expiration. CertAccord Enterprise supports PKCS12 and other formats on Windows, Linux, and Mac platforms.
Microsoft Windows systems have built-in support for creating X.509 certificates, often referred to as “auto-enrollment”. This feature creates certificates and places them in the Windows certificate store. Unfortunately there is no auto-enrollment support for PKCS#12. This leads to having to manually export certificates from the Windows system certificate store into PKCS12. Other platforms such as Linux and MacOS also lack any kind of auto-enrollment support for PKCS12 and other certificate formats. On those platforms you also have to manually submit a Certificate Signing Request (CSR) and other data to a Certificate Authority manually and then manually receive the certificate which typically is in some other format such as DER or PEM.
What Is PKCS #12?
PKCS #12 (PKCS12) is a file format for storing X.509 digital certificates, private keys, certificate authority certificates, and other related data, all in a single file. PKCS12 is often used in modern applications, both Java and non-Java, to provide the certificate, private keys, and CA trust required to communicate via SSL/TLS over HTTP (HTTPS).
PKCS12 files typically end with .p12 or .pfx but these are not required by any standard.
A typical PKCS12 file contains:
- X.509 digital certificate identifying the server/service subject. This is typically the hostname of the server the application is run on
- The private key of the certificate required to “unlock” and use it
- The CA trust which issued the certificate. This is typically the certificate of the root CA in the CA trust chain which issued the certificate.
Create Fully Managed PKCS12 With CertAccord Enterprise
Creating a PKCS12 from Microsoft ADCS or GlobalSign using CertAccord Enterprise is fast, easy, and secure. For the purposes of this discussion we will use PKCS12, but the process provided is nearly identical for Java Key Store (JKS).
The creation of the initial PKCS12 is done with a simple single command line. Even better, the resulting PKCS12 file is managed by CertAccord Enterprise and will be updated with a new certificate prior to expiration.
The following process is the same on Windows, Linux, and MacOS. Only the file paths are different.
STEP 1 – Install and Register CertAccord Agent
Follow the CertAccord Enterprise Installation Guide to install and register the Agent on the device you want to create the PKCS12 on. This is done typically by installing the Agent manually or using a distribution system like Chef, Puppet, or ADCS Group Policy.
STEP 2 – Run CertAccord Create Command
Open a bash/powershell/cmd command prompt and run:
cmb cert create usages=serverauthentication certstoragefmt=pkcs12
The command output will look something like this:
PS C:\Users\smith> cmb cert create usages=serverauthentication certstoragefmt=pkcs12 Authenticate using CertAccord/Active Directory Username: smith Password: Created certificate ID: sj537587 SUBJECT: "test00.contoso.com" \ SERIAL: 60b84a867 USAGES: ServerAuthentication \ EXPIRES: May 04 2021 10:08:33 PDT Adding certificate + private key [ID: SQk53jEK [RSA 2048]] to \ C:\ProgramData\...\cert\test00.contoso.com-serverauthentication.p12 Exported [ADDED] FILE: \ C:\ProgramData\...\cert\test00.contoso.com-serverauthentication.p12 ENTRY: [ADDED] PRIVATEKEY "Private Key SQk53jEK" RSA 2048 ENTRY: [ADDED] "Certificate sj537587" SUBJECT: "test00.contoso.com" \ USAGES: ServerAuthentication ENTRY: [ADDED] TRUSTCERTIFICATE "Contoso Issuing CA2" SUBJECT: \ "CN=Contoso Issuing CA2, DC=contoso, DC=com" ENTRY: [ADDED] TRUSTCERTIFICATE "Contoso Root CA" SUBJECT: "CN=Contoso Root CA" Exported PKCS12 Config File [NoChange] FILE: \ C:\ProgramData\...\test00.contoso.com-serverauthentication.p12.properties
This command creates a certificate, private key, and CA trust and places all of that in this PKCS12 file:
C:\ProgramData\...\test00.contoso.com-serverauthentication.p12
STEP 3 – Configure Application
Configure your Java application to use the PKCS12 file created in the previous step.
Deploy Certificates in PKCS12 At Scale
In addition to creating certificates from the command line you can also configure CertAccord to automatically push certificates in PKCS12 (or other formats) to any number of end-points using the CertAccord Management Console (CMC). In CMC you can assign Certificate Mandates to Device Groups. Certificate Mandates are a means of requiring an end-point to have a specific certificate configuration. This is similar to “auto enrollment” found in Windows based systems.
This capability allows you to quickly deploy certificates in PKCS12 and other formats to thousands of end-points. Even better, the certificates in the PKCS12 files will be automatically updated prior to expiring.
How to Handle Expiring Certificates in PKCS12
The PKCS12 created by CertAccord Enterprise will automatically be renewed and the PKCS12 file updated with the new certificate and keys, prior to the certificate expiring. The CertAccord Agent uses settings from the central CertAccord Enterprise server to determine when to perform the renewal and who to notify once the renewal is complete.
You can also automatically notify your application to re-read the PKCS12 file once its renewed by creating a CertAccord Certificate Applier. A Certificate Applier is a customer supplied executable (typically a script) which is given data on the command line about the certificate that has been created/renewed. The script can then perform application specific actions such as re-reading the PKCS12 with the renewed certificate.
Summary
Creating certificates in PKCS12 from Microsoft ADCS or GlobalSign Certificate Authorities can be done with speed, ease, and securely using CertAccord Enterprise as your PKI certificate management solution The PKCS12 creation is not only easy but the resulting file is fully managed and will be renewed prior to expiration.