Creating the Personal Information Exchange (PFX) Certificate

  • Article

2/9/2009

The Personal Information Exchange (PFX) certificate is required to digitally sign the System Center Mobile Device Manager software package before distribution. This sections shows you how to create the .pfx and .cer files and use them to sign the .cab file in the section, Signing the .Cab File.

To create the PFX and CER certificates, follow these steps:

  1. Create a Code Signing Template by using the Certification Authority console.
  2. Install the Code Signing Certificate from the Certification Authority Web. For example, https://yourCA/certsrv.
  3. Export the .pfx and .cer files.
  4. Install the .cer file in the Trusted Publishers store.

To create a code signing template

  1. From Administrative Tools, open the Certification Authority console.

  2. If you have not yet selected the code signing template for issue, click Certificate Templates.

  3. On the Certificate Templates page, right-click the Code Signing template and then select Duplicate Template.

  4. The General tab appears. Type a name for the certificate template. On the Request Handling tab, select Allow private key to be exported.

  5. On the Security tab, select the Enroll option in the Allow column for the administrator who is installing the template.

  6. Choose Apply, and then choose OK. Close the Certificate Templates dialog box.

  7. On the Certification Authority page, in the navigation pane, right-click Certificate Templates, select New, and then select Certificate Template to issue.

  8. Select the newly duplicated template, and then choose OK.

To installing the code signing certificate from the Certification Authority Web site

  1. From any domain-joined server, open Internet Explorer. In the Address bar, type https://yourCA/certsrv where yourCA is the name or IP address of the certification authority.

  2. Select Request a Certificate, and then select Advanced Certificate Request.

  3. Select Create and Submit a Request to this CA.

  4. On the Advanced Certificate Request page, in the Certificate Template section, select the name of the duplicated code signing template that you created in the previous procedure.

  5. Select the Mark keys as exportable check box.

  6. Select Store certificate in the local computer certificate store.

  7. Choose Submit.

  8. If the Potential Scripting Violation page appears, choose Yes.

  9. On the Certificate Issued page, select Install this certificate. If the Potential Scripting Violation page appears, choose Yes.

The Certificate Installed page appears. Confirm the installation and then close Internet Explorer.

To export the .pfx and .cer files

  1. On the server where you installed the code signing certificate, choose Start, choose Run, and then in the Open box, type MMC. Choose OK.

  2. On the Console page, on the File menu, select Add/Remove Snap in.

  3. On the Add/Remove Snap-in dialog box, choose Add. The Add Standalone Snap-in page appears. Select Certificates and then choose Add.

  4. On the Certificates snap-in page, select Computer account, and then choose Finish. On the Add Standalone Snap-in page, choose Close, and then on the Add/Remove Snap-in page, choose OK.

  5. On the Console page, in the navigation pane, expand Certificates – Local Computer, and then expand Personal.

  6. In the navigation pane, select Certificates.

  7. In the details pane, locate the certification authority certificate file that was issued for the Code Signing template. This file should have the name of your certification authority. Right-click this certificate, select All Tasks, and then choose Export.

  8. The Welcome to the Certificate Wizard dialog box appears. Choose Next to continue.

  9. On the Export Private Key page, select Yes, export the private key. Choose Next.

  10. On the Export File Format page, make sure that you select Personal Information Exchange – PKCS #12(.PFX). Make sure that you select the Enable strong protection box. Choose Next.

  11. On the Password page, supply a password, and then choose Next.

  12. On the File to Export page, type the path and file name of the .pfx file. For example, C:\signcert.pfx. Choose Next.

  13. Choose Finish. On the Certificate Export Wizard page, choose OK to confirm that the export was successful.

  14. Repeat steps 7 and 8.

  15. On the Export Private Key page, select No, do not export the private key, and then choose Next.

  16. On the Export File Format page, make sure that you select DER encoded binary X.509 (.CER), and then choose Next.

  17. On the File to Export page, type the path and file name of the .cer file. For example, C:\signcert.cer. Choose Next.

  18. Choose Finish. On the Certificate Export Wizard page, choose OK to confirm that the export was successful.

To install the .cer file in the Trusted Publishers store

  1. On the computer that is running MDM Device Management Server, open MMC with the Certificates snap-in added.

  2. Expand Trusted Root Certification Authorities, right-click Certificates, select All Tasks, and then select Import.

  3. On the Welcome to the Certificate Import Wizard page, choose Next.

  4. On the File to Import page, choose Browse and locate the .cer file that you exported in the previous steps, and then choose Next.

  5. On the Certificate Store page, select Place all certificates in the following store, and then choose Browse.

  6. In the Select Certificate Store dialog box, select Trusted Publishers, and then choose OK.

  7. On the Certificate Store page, choose Next.

  8. Choose Finish. On the Certificate Import Wizard page, choose OK to confirm that the import was successful.

  9. Repeat steps 2 through 8 on the publishing computer. Skip this step if you are not planning to run the MDM Software Distribution Console remotely (on a separate computer from MDM Device Management Server).

See Also

Concepts

Signing .Cab Files in Packages