How can we help?

Import PFX/PKCS#12

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

It may be required to install PFX/PKCS#12 (PFX) certificate file(s) when issuing a credential. This type of operation can be performed using vSEC:CMS. Follow the instructions in this article to see how this can be done.

Important
It will be required that at minimum you have already successfully completed the configuration steps described in the article Setup Evaluation Version of vSEC:CMS. The instructions in this document are applicable regardless of whether you are running the evaluation version or a production version.

Configure Template and Issue Credential

In this article we will use an example where it is required to import a PFX while issuing a credential to a user residing in AD. In this example we will also issue a Windows logon certificate from a Microsoft PKI.

Create PKCS#12 CA Connection

From Options - Connections - Certificate Authorities click the Add button. Enter a template name and select PKCS12 (PKCS12 support) from the drop-down list. Click the first Get button and select the generic PFX/PKCS#12 file so the CA issuer DN can be ascertained and saved. Click the second Get button and browse to the location where the generic PFK/PKCS#12 file is located. Enter the password for the PFX/PKCS#12 files (this will be under the presumption that the same password will be used for all PFX files that would be used) and click Save to save and close.

Once the connection template above is made it is important to make a note of the template ID. From the connection template landing dialog make a note of the certlist as highlighted in the example below as this will be required later.

The next step is to create the certificate list which vSEC:CMS will use to retrieve the PFX/PKCS#12 when issuing the credentials. Go to C:\Program Files\Versasec\vSEC_CMS S-Series\cms_db\certificates (presuming that you installed vSEC:CMS to default location). Create a file named 000f000d.certlist where 000f000d is the ID captured earlier in this article. The content of this file should be as below:

<?xml version="1.0" encoding="UTF-8"?>
<files>
<e file="pkcs12_example1.db"/>
</pkcs12>
<certificates/>
</files>


The file pkcs12_example1.db should be created here C:\Program Files\Versasec\vSEC_CMS S-Series\cms_db\certificates (presuming that you installed vSEC:CMS to default location). The content for this file should be similar to below (below sample file will have PFX for 2 different AD credentials:

<?xml version="1.0" encoding="UTF-8"?>
<data>
<e id="CN=Joe Bloggs,OU=US,DC=my-lab,DC=com">
<v name="Manually imported" file="c:\my-certs\joe.pfx"/>
</e>
<e id="CN=Mary Rose,OU=US,DC=my-lab,DC=com">
<v name="Manually imported" file="c:\my-certs\mary.pfx"/>
</e>
</data>


Where id="CN=Joe Bloggs,OU=US,DC=my-lab,DC=com" is the DN of the user that the credential will be issued to from AD, and name="Manually imported" is a generic placeholder for the template (note: this should not be changed) and file="c:\my-certs\joe.pfx" is the location of the PFX file on the vSEC:CMS server.

Create Credential Template

From Template - Card Templates click the Add button. In General [Edit] enter a template name and select Minidriver (Generic minidriver card) for the Card type and leave all other settings as default and click Ok to save and close.

In Issue Card [Edit] enable Assign user ID and select the AD that you will select the user from when issuing the credential.

In the Enroll Certificate Options section click on the Enroll certificate(s) checkbox and click the Add button. From the available CAs select the appropriate one for the generic import. For this example you should see something similar to below.

Click Ok to save and close.

Additionally we want to issue a Windows logon certificate. Click the Add button again and add a Windows logon certificate similar to below from your Microsoft PKI.

Click the P12 Settings button and make sure all settings are set like below.

Click Ok to save and close.

Click Ok to save the template and close the configuration.

Now you can go to the Lifecycle page and issue a credential as normal. You should see that 2 certificates are on the credential at the end of the issuance, 1 PFX/PKCS#12 and 2 a Windows logon certificate.