Topic: [SOLVED] problem importing .PFX certificate - only for domain

[Jáder]

Here in Brasil, we need to import a certificate .PFX with password to government issues.
I'm able to import this certificate in any machine if it's not in domain.
If it's on SME domain (never tested other one!) I cannot import.
I'm tryinig to use importpfx and certutil or even by double click .PFX file.
Nothing works!

If I use
certutil -f -p xxx -importpfx "file_CERT.pfx"

I get it imported BUT on "others person" not in "personal" store.
And this way it do not work as it should.

Anyone has experience to share about Personal Certificates PFX with password being imported on samba domain machines ?

Regards,

Jáder
Edit: I'm following https://stackoverflow.com/questions/5171117/import-pfx-file-into-particular-certificate-store-from-command-line and it says:
"
Import pfx to Personal on local machine
CERTUTIL -f -p somePassword -importpfx "somePfx.pfx"
"

[Jáder]

Hi

I just find out the problem is related to user logged (a local admin user works, a domain admin or user do not work).

What's different on these situations to affect .pfx certificate import / save location ?

Here there are other site with same import procedure:
https://www.jasonpearce.com/2012/02/02/import-pfx-certificate-via-group-policy-preferences/
http://wiki.homeg.nl/deploy-ssl-certificates-to-users-personal-store/

I'm thinking about the problem to be a registry key we at SME change because o NT domain of Samba and this registry key affect only domain logins.

Could this be possible ?

[Jean-Philippe Pialasse]

Jader,

Good job. It is probable that this is related to a key indeed. If you have time and patience to debug it you could check the key modified one by one and reverting them until you are able to get it working. The reg patch is not that big should not take hours.

[Jáder]

Hi Jean-Philippe,

Indeed it would not be a huge work (there are 9 reg keys on Win10_samba.reg file) , but if the problem is a key, why the key do not matter when I log in as local user ?

And if I change back one of them, I'll not loose access to domain or some features ?

Jáder

[Jean-Philippe Pialasse]

I do not see that  many lines in the regedit patch (eg win10samba.reg).

Another source could be netlogon script. If you have some there, they are not launched for a local user.

[Jáder]

Hi Jean_Philippe

I'd appreciate some help.
I have no Windows server to test, and I'm not sure the problem is not in my installs.
I have a book with a password+pfx certificate I can share with you (trusting you...please do not share on web, it's a payed version!) to try find out the problem.

I've been reading my e-mails and digital certificates has been a problem for several years.
I'm not sure it it's ME, or SME, or Samba domains or Windows.

I'm scared to be ME or MY installs.
So I need a long away opinion
Please get in touch via PM or jader.marasca AT gmail  so I can send the book+PFX +password.

Regards,

Jáder

[Jáder]

I've solved this problem by import the PFX certificate in Firefox and export it using same key.

The new file will be .p12 and will import ok into USER store with just a double click.

I'm not sure why/how it works, but I'm glad it does!

[Jáder]

I do not see that  many lines in the regedit patch (eg win10samba.reg).

Another source could be netlogon script. If you have some there, they are not launched for a local user.

The problem is fixed by another way (import PFX certificate in Firefox and export it again), but just in case someone reading this need the batch for reverse the win10samba.reg changes, it's here:

Code: [Select]

@echo off
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v "DNSNameResolutionRequired" /f
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters /v "DomainCompatibilityMode" /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\\\*\\netlogon" /f
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters /v "UseProfilePathExtensionVersion" /f
reg delete  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v "SlowLinkDetectEnabled" /f
reg delete  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v  "DeleteRoamingCache" /f
reg delete  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v "WaitForNetwork" /f
reg delete  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System /v  "CompatibleRUPSecurity" /f

(I really hate wasted effort)

[ReetP]

win10samba.reg changes, it's here:

Code: [Select]

@echo off
....

(I really hate wasted effort)

Me too. Good effort. Can you add that to the wiki ?

[Jáder]

Me too. Good effort. Can you add that to the wiki ?

Done!
I've put it on end of https://wiki.contribs.org/Windows_10_Support