Skip to main content

Create PIV CS PKCS12 store (PIV PFX)

  1. Create a new user in Active Directory, as follows:

    1. On the Microsoft CA machine, go to Start > Windows Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers page appears.
    2. Right-click Users and select New > User. The New Object > User dialog box appears.
    3. Enter a First name, Last name, and User logon name and then click Next.
    4. Deselect User must change password at next logon.
    5. Enter and confirm a password.
    6. Click Next and then click Finish.

  2. Open the Microsoft Management Console to add certificates snap-in, as follows:

    1. To open the Microsoft Management Console, right-click the Start menu, click Run, enter mmc in the Open field, and click OK.
    2. Go to File > Add/Remove Snap In.
    3. Click Certificates and select Add. The Certificate snap-in dialog box appears.
    4. Select My user account.
    5. Click Finish and click OK.

  3. Double-click Certificates > Current User.

  4. Right-click Personal and select All Tasks > Advanced Operations > Enroll on Behalf Of. The Certificate Enrollment Wizard opens.

  5. Click Next. The Select Certificate Enrollment Policy page appears.

  6. Click Browse to select a signing certificate. The Select a Certificate dialog box appears.

  7. Click OK to select the certificate and close the dialog box. A certificate name appears in the Signing Certificate field.

  8. Click Next. The Request Certificates page appears.

  9. Select your PIV Content Signer (Device) certificate template and click Next. The Select a user page appears.

  10. Enter the Username you created in step 1. Alternately, you can click Browse to display the Select User dialog box and search for the user.

  11. Click Enroll and then click Close.

  12. Select Certificates > Current User.

  13. Double-click Personal and then double-click Certificates.

  14. Right-click your user PIV-PIV Content Signer (Device) certificate and select All Tasks > Export. The Certificate Export Wizard opens.

  15. Click Next. The Export Private Key page appears.

  16. Select Yes, export the private key and click Next.

  17. In the Export File Format page, do the following:

    1. Select Personal Information Exchange - PKCS #12 (PFX).
    2. Select Include all certificates in the certificate path if possible.
    3. Click Next. The Security page appears.

  18. In the Security page, do the following:

    1. Select Password.
    2. Enter and confirm a certificate password.
    3. Click Next. The File to Export page appears.

  19. In the File to Export page, enter a name for your certificate, for example, piv.

    tip

    Tip: Click Browse to browse to the location where you want to save your certificate, enter a File name and click Save.

  20. Click Next and then click Finish.

  21. Click OK on the Export successful confirmation prompt.

  22. Copy this file. You need this file to Configure a Microsoft CA on Identity as a Service.