certificate import and export on windows

Microsoft Management Console (MMC) does not natively export private keys in .PEM format. Instead, it exports private keys in .PFX (.PKCS#12) format which includes both the certificate and private key in an encrypted container. If you need the private key in PEM format, you must first export the certificate as PFX from MMC and then convert it using OpenSSL. Therefore in this article, we shall show you how to Export and Convert Private Keys to .PEM Format in Windows. Please, see Convert a PEM Key to a PPK Key on a Linux and Windows, and how to “Create a self-signed certificate and export it in PFX format via PowerShell [Part 1]“.

SSL is essential for Windows Admin Center (WAC) to ensure secure, encrypted communication, especially since the latest WAC Modern Gateway (WACmg) self-signed certificate expires after 60 days. This requires a trusted SSL certificate for long-term stability and uninterrupted access

Note: PFX (.pfx) and PKCS#12 (.p12) formats are the same. Both are used to store a private key along with its corresponding certificate (and, optionally with the entire certificate chain) in a single encrypted file. The .pfx extension is used in Windows environments. While .p12 is more common in Unix-based systems. However, they are interchangeable and can be rename from a .pfx file to .p12 without affecting functionality.

Also, see how to generate a self-signed certificate and export in PFX format via PowerShell [Part 2], how to Fix Trellix ePO DAT and Engine Packages missing, and how to deploy and integrate VHR with VBR.

Error Code returned from the cryptographic module is 0x8009030D

A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001. The SSPI client process is WindowsAdminCenter (PID: 368), as shown in the image below.

Fatal error occured when attempting to accept the TLS server credential private key

The error “A fatal error occurred when attempting to access the TLS server credential private key” (Error Code 0x8009030D, Internal State 10001) indicates that the Windows Admin Center (WAC) is unable to access the private key of the SSL certificate. This occurs due to insufficient permissions on the private key or because the certificate is missing an associated private key.

Please, see best Storage for Veeam: Comparing OOTBI by ObjectFirst to VHR, how to create a bootable USB on Mac: Proxmox VE Setup, and How to generate CSR and Request a Certificate from Herica CA.

Fix Error Code 0x8009030D, Internal State 10001

Windows, including Windows Admin Center (WAC), primarily expects PFX (.p12) format for certificates. If you import a certificate in PEM format. This will result in issues, including the TLS private key access error (0x8009030D, state 10001).

An easier approach to this would be to Import the PEM file to Certificate Store and Export as PFX.
Note: If your PEM file contains only the certificate, the private key must be imported separately. Lastly, export the Certificate as PFX.

Please, see Upgrade Windows Admin Center 2306 – 2311: Run WACmg v2401, how to configure WebLAPS to manage Microsoft LAPS, and how to Shrink and Compact Virtual Hard Disks in Hyper-V.

To avoid the workaround below, contact your certificate vendor for a certificate with the private key. Import the cert and do the binding with WAC. You can also take a look at this solution.

Workaround: Export the Certificate with Private Key

If you need the private key in PEM format. First, export the certificate as PFX from MMC and then convert it using OpenSSL or Herica web tool. Here is an article on how to export a certificate in PFX format in Windows. You could also do this via the command line as shown below.

openssl pkcs12 -in cert.pfx -nocerts -nodes -out privatekey.pem

To do this over the MMC, launch MMC and navigate to File. Next, click on Add/Remove Snap-in. Select Certificates and click on Add and Ok to add the snap-in and OK. Next, select Computer account and then Local Computer and click on Finish to complete it.

Expand Personal and then Certificates. Find your certificate, right-click it and select All Tasks and Export.

From the Certificate Export Wizard, click on Next.

Select “Yes, export the private key”, and click Next to proceed.

Next, check.PFX (PKCS #12) format.
– Include all certificates in the certification path.
– Set a password for security.
– Enable Certificate Privacy and click Next.

Enable Password and confirm password and click Next.

Browse to the path you wish to save the file and click next.

Click on Finish to complete the export.

As you can see below, the certificate and the private key has been successfully exported.

Please, see how to configure SSL for WAMP server, how to fix Apache errors associated with WAMP installation for TeamPass, and how to uninstall WAMPServer from Windows.

Install OpenSSL

Note: Now that we have the .PFX file, we need to convert it to .PEM format to bundle the private key, public key, and certificate chain together. This step requires installing openssl on Windows. Here is a guide on how to Install OpenSSL on Windows Computers.

First, you will have to download the latest version of OpenSSL from here and install it.

I am okay with the default installation path. Click Next to proceed.

Click on Next to continue with the installation

Select Windows System Directory and click Next

If you are interested in donating which I will strongly advise you to do. Select any of the options and click Finish.

Please, see fix Task failed to perform Scheduled Snapshot Replication, how to deploy Azure Virtual Desktop in Azure Portal, and how to correctly uninstall Nextcloud from Mac.

Create Environment Variable

We will have to create an environment variable. This ensures OpenSSL ensures that you can run OpenSSL commands from any terminal or command prompt without needing to specify or navigate to the full installation path.

To do this, launch the system properties, click on Advanced and then Environment Variables. Under System Variables, find Path and click Edit. As shown below, add the following path C:\Program Files\OpenSSL\bin

Click OK and restart the terminal or system for changes to take effect. After setting the environment variable, you can simply run “openssl version” from any part of the command prompt to determine the openssl version.

By the way, you can also do this from the command line by running the following command below.

[System.Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:\Program Files\OpenSSL\bin", [System.EnvironmentVariableTarget]::Machine)

Here is How to upgrade Veeam Backup and Replication 12.3, how to how to install Veeam Backup Console on a Jump Server, and how to Mitigate Veeam Threat Hunter Service Scanning Interference.

Convert PFX to PEM (Extract Private Key)

The goal of this section is to repackage the certificate components (private key, certificate, and chain) into a new PFX (.p12) file that will be renamed into .pfx that is properly formatted for Windows systems to consume. To do this, we will have to use OpenSSL to extract the private key.

openssl pkcs12 -in exported-cert.pfx -nocerts -nodes -out private-key.pem

Extract the certificate (certificate.pem)

openssl pkcs12 -in exported-cert.pfx -clcerts -nokeys -out certificate.pem

Also, see how to get MBAM BitLocker Recovery Keys from Microsoft SQL Server, how to Prevent Microsoft Teams from starting automatically on Windows, and how to Fix Windows Server frequent disconnects and shutdown.

Covert to p12 Format on Harica

With HARICA Tool, you can convert .pem files to .p12. This will be subsequently renamed to .pfx and imported to the certificate store. You will need the certificate, the private key (exported and converted) and the Issuing Authority.

download pem format needed for conversion

Now, you can use the Harica tool to convert to .p12 format and rename to .pfx as you wish for Windows to consume.

Shortly, the p12 certificate format will be downloaded and then renamed to .pfx.

Please, see Install Remote Server Administration Tools on Windows 11, how to deploy Folder Redirection in Windows and Sign-in options for Windows: Ditch Password for Enhanced Security.

Alternative Step: Via the OpenSSL Tool: Convert PEM to PFX (`.p12`) Directly

You could use OpenSSL on the fly to convert from PEM to PFX /(.p12) directly ff you have:

Certificate file: certificate.pem
Private key file: private-key.pem
(Optional) CA Bundle: ca-bundle.pem

Run this OpenSSL command:

openssl pkcs12 -export -out final-cert.pfx -inkey private-key.pem -in certificate.pem -certfile ca-bundle.pem

export: Converts everything into PFX format
out final-cert.pfx: The output file (PFX)
inkey private-key.pem: Uses the private key
in certificate.pem: Uses the public certificate
certfile ca-bundle.pem: (Optional) Includes the CA chain, if required.

When prompted to set a password for the PFX file, please use something secure.

Import Certificate into Certificate Store

Once you have converted the certificate as discussed above to the desired format such as .pfx (renamed from .p12) in my case. The next step is to import the certificate to the certificate store. Follow the same steps to launch MMC and this time, instead of “Export”, select “Import” as shown below.