Create PKCS12/PFX Archive from Certificate and Private Key

    I have been doing some work with security certifcates lately and had the chance to document the creation of PKCS12/PFX archives using command line tools without first having CSR/private key in a key store.

    Site security certificate

    Most are familar with the following work flow of obtaining a security certificate…

    • Generate Certificate Signing Request (CSR)
      • This generates a private key (sometimes out of interface scope)
    • Submit CSR to Certificate Authority (CA) for certificate generation
      • Internal Windows CA - certsrv
      • Public CA like - GoDaddy
    • Retrieve certificate bundle from CA
    • Import into keystore used to create CSR
      • The private key lives here (sometimes with no interface to manage, Windows for example)
    • Export PFX archive that includes certificate, private key, and CA certificate(s) protected with password
      • Include private key in the export

    Voila! PFX Archive!

    But… if you have the private key on a file system some where and not in a key store (Windows or Java), the work flow changes.

    Note: Remeber to password protect any export of certificates with private keys with strong passwords

    To bundle those together in a PKCS12/PFX archive file you can use OpenSSL command line tool, I am sure there are others. Available on all major flavors of Linux and installable other operating systems.

    Nov 22, 2020 - Filed in: X.509 PKCS12 PKI PEM
    Reading Time: 2 minute(s)

    YubiKeys and SSH Keys

    All YubiKeys since X have come with PIV slots, multiple slots for different purposes. Slot 9a for example is used for SSH keys, while slot 9e is used for X.

    Install YubiKey Manager using your favourite package manager, here we use brew.

    Aug 9, 2020 - Filed in: 2FA SSH macOS Linux
    Reading Time: 1 minute(s)

    Localization with SwiftUI

    I have been performing a bit of localization lately on an Xcode project and was looking for a way to reduce human errors due to typos and other human errors.

    The best method I found was to create a separate a simple Translation.swift file to storage all the i18n code. Here I extend the LocalizedStringKey struct with my own project based localized strings for easy access on the Xcode autocomplete menu.

    Jul 6, 2020 - Filed in: SwiftUI iOS macOS
    Reading Time: 1 minute(s)

    How-to Investigate Active Directory Logon Mischief

    The Windows domain feature for locking accounts can be a helpful feature against malicious attempts to guess a password via brute force.

    The version of netlogon.dll that has tracing included is installed by default on all currently supported versions of Windows. To enable debug logging, set the debug flag that you want by using nltest.exe, the registry, or Group Policy.

    Group Policy

    You will have to adjust a few policy settings to get the DCs to audit logon events. This are usually set correctly, but it can be worth a check of the environment to make sure the DCs are get the proper audit settings.

    Group Policy

    Audit account logon events for domain accounts and Audit logon events for logons to the computer.

    Events

    The Event IDs we are most concerned with are under the Windows Logs > Security section of Event Viewer.

    • 4624
    • 4776
    Jun 2, 2020 - Filed in: Microsoft Active Directory Windows Server
    Reading Time: 2 minute(s)