Windows Certificates

1. General

For internal LAN-only services, you can use self-signed certificates, but you have to have a strong policy in place, to ensure that the issuing CA server is well-protected from cybercriminals and is located in a place that is not accessible by all the employees of your organization, and that you have monitoring tools and a team in charge of managing the certificate estate.

2. WSL Distro Launcher Certificate

See https://docs.microsoft.com/en-us/windows/uwp/packaging/create-certificate-package-signing.

2.1. Create Certificate

Enter the following commands at a PowerShell Command Prompt.

$FilePath = "D:\Tmp\DistroLauncher-Appx_TemporaryKey.pfx"
$Password = Read-Host -Prompt "Enter the level 2 password" -AsSecureString
$Path = "Cert:\CurrentUser\My"
$Subject = "CN=SMRU WSL Distro Launcher Appx"
Get-ChildItem -Path "Cert:\CurrentUser\My" | Select-Object Subject, FriendlyName, Thumbprint
$Certificate = New-SelfSignedCertificate -CertStoreLocation $Path -KeyUsage DigitalSignature -Subject $Subject -Type Custom
$Thumbprint = $Certificate.Thumbprint
Get-ChildItem -Path Cert: -Recurse | Where-Object {$_.Thumbprint -eq "$Thumbprint" }
Export-PfxCertificate -Cert "$Path\$Thumbprint" -FilePath $FilePath -Password $Password
Remove-Item -Path Cert:\CurrentUser\My\$Thumbprint
Remove-Item -Path Cert:\CurrentUser\CA\$Thumbprint
Get-ChildItem -Path Cert: -Recurse | Where-Object {$_.Thumbprint -eq "$Thumbprint" }

2.2. Import Certificate

Enter the following commands at a PowerShell Command Prompt with administrative privileges.

$FilePath = "D:\Tmp\DistroLauncher-Appx_TemporaryKey.pfx"
$Password = Read-Host -Prompt "Enter the level 2 password" -AsSecureString
$Path = "Cert:\LocalMachine\Root"
Get-PfxCertificate -FilePath $FilePath | Format-List *
$Certificate = Import-PfxCertificate -CertStoreLocation $Path -FilePath $FilePath -Password $Password
$Thumbprint = $Certificate.Thumbprint
Get-ChildItem -Path Cert: -Recurse | Where-Object {$_.Thumbprint -eq "$Thumbprint" }

2.3. Remove Certificate

Enter the following commands at a PowerShell Command Prompt.

Get-ChildItem -Path Cert:\CurrentUser\My | Select-Object Subject, FriendlyName, Thumbprint
$Thumbprint = "<Thumbprint>"
Get-ChildItem -Path Cert: -Recurse | Where-Object {$_.Thumbprint -eq "$Thumbprint" }

$Certificate = Get-PfxCertificate -FilePath <PfxFile>
$Thumbprint = $Certificate.Thumbprint
Get-ChildItem -Path Cert: -Recurse | Where-Object {$_.Thumbprint -eq "$Thumbprint" }

Remove-Item -Path Cert:\CurrentUser\CA\$Thumbprint
Remove-Item -Path Cert:\CurrentUser\My\$Thumbprint
Remove-Item -Path Cert:\CurrentUser\Root\$Thumbprint

2.4. Search Certificate

Enter the following commands at a PowerShell Command Prompt.

$FriendlyName = "<FriendlyName>"
$Subject = "<Subject>"
$Thumbprint = "<Thumbprint>"
Get-ChildItem -Path Cert: -Recurse | Where-Object {$_.FriendlyName -eq "$FriendlyName" }
Get-ChildItem -Path Cert: -Recurse | Where-Object {$_.Subject      -eq "$Subject" }
Get-ChildItem -Path Cert: -Recurse | Where-Object {$_.Thumbprint   -eq "$Thumbprint" }

Enter the following commands at a PowerShell Command Prompt with administrative privileges.

$FriendlyName = "<FriendlyName>"
$Subject = "<Subject>"
$Thumbprint = "<Thumbprint>"
Get-ChildItem -Path Cert: -Recurse | Where-Object {$_.FriendlyName -eq "$FriendlyName" }
Get-ChildItem -Path Cert: -Recurse | Where-Object {$_.Subject      -eq "$Subject" }
Get-ChildItem -Path Cert: -Recurse | Where-Object {$_.Thumbprint   -eq "$Thumbprint" }

2.5. View Certificate

Open Control Panel > Internet Options.
- Type inetcpl.cpl at a Command Line.
Select the Content tab.
Click Certificates.
Select the Personal tab.
Select the Other People tab.
Select the Intermediate Certification Authorities tab.
Select the Trusted Root Certification Authorities tab.
- Select the SMRU WSL Distro Launcher Appx certificate.
- Click View.
- Select the General tab.
- Select the Details tab.
- Select the Certification Path tab.
- Click OK.
Select the Trusted Publishers tab.
Select the Untrusted Publishers tab.
Click Close.
Close Internet Options.

Open Control Panel > Internet Options with administrative privileges.
- Type inetcpl.cpl at a Command Prompt with administrative privileges.
Repeat above steps.

Open Certificate Manager for Current User (certmgr.msc).
Close Certificate Manager.
Open Certificate Manager for Local Machine (certlm.msc).
Close Certificate Manager.

mmc.exe * Select File > Add/Remove Snap-in. * Select Certificates. * Click Add. * Choose Computer account. * Click Next. * Choose Local computer. * Click Finish. * Click Ok.