I opened the p12 file using certutil and it looks ok:
D:\>certutil -dump wmc01.contoso.com-cfssl.p12
Enter PFX password:
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=CONTOSO Corp Root CA, O=CONTOSO Corp, C=US
NotBefore: 5/9/2018 7:57 PM
NotAfter: 5/6/2028 7:57 PM
Subject: CN=CONTOSO Corp Root CA, O=CONTOSO Corp, C=US
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---------------- End Nesting Level 1 ----------------
No key provider information
Cannot find the certificate and private key for decryption.
================ Certificate 1 ================
================ Begin Nesting Level 1 ================
Element 1:
Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=CONTOSO Corp Root CA, O=CONTOSO Corp, C=US
NotBefore: 5/9/2018 7:58 PM
NotAfter: 5/8/2023 7:58 PM
Subject: CN=CONTOSO Server Intermediate Root CA, O=CONTOSO Corp, C=US
Non-root Certificate
Cert Hash(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---------------- End Nesting Level 1 ----------------
No key provider information
Cannot find the certificate and private key for decryption.
================ Certificate 2 ================
================ Begin Nesting Level 1 ================
Element 2:
Serial Number:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=CONTOSO Server Intermediate Root CA, O=CONTOSO Corp, C=US
NotBefore: 5/31/2018 3:52 PM
NotAfter: 5/30/2023 3:52 PM
Subject: CN=wmc01.contoso.com, OU=CONTOSO Server, O=CONTOSO Corp, L=Fremont, S=California, C=US
Non-root Certificate
Cert Hash(sha1):xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -dump command completed successfully.
I also installed it on my Windows 10 laptop, and it installed the certificate in my Personal store with the "Intended Purposes" of Client Auth and Server Auth.
I checked out the ASE link, and that seems to be applicable to certificates generated using a CSR. The certificate I am using was not generated by a csr and comes from an internal CA. Does the controller accept certificates generated without a CSR?
Based on the ASE, it looks like it wants a certificate in the following format:
-----BEGIN RSA PRIVATE KEY-----
to (including):
-----END CERTIFICATE-----
None of my certificates start with
-----BEGIN RSA PRIVATE KEY-----
Usually -----BEGIN CERTIFICATE----- or -----BEGIN PRIVATE KEY----- and none of them have
to (including):
Is that a problem?