Q: We need to export an X.509 web server certificate and the associated private key from one of our web servers and import them on all the other web servers in our farm. To do this, we plan to use the Windows Certificate Export Wizard, the Windows Certificate Import Wizard, and a PKCS#12-formatted file (*.pfx) that's protected using a password. Is it true that there's a new feature in Windows Server 2012 that lets you securely import PKCS#12 content without needing to transfer the associated protection password to all administrators who are involved in the import operation?

A: Yes, that's correct. Windows Server 2012 and Windows 8 support a new feature that lets you use an Active Directory (AD) user or group account to protect the certificate and private key, both of which are contained in a PKCS#12-formatted file. This feature is very useful for exporting and importing digital certificates and private keys because you don't need to share a password with all the parties involved.

To support this feature, the Certificate Export Wizard in Server 2012 and Windows 8 provides a new security option that allows you to secure the .pfx file using an AD user or group account. The new Group or user names (recommended) option appears in the Security page of the wizard, as Figure 1 shows. When you select this option, you can add an AD account using the Add button. The Certificate Import Wizard's logic has been changed to automatically detect when you're logged on with a valid AD account and unlock access to the certificate and private key in the .pfx file, without prompting you for a password.

Figure 1: Security Page in the Certificate Export Wizard

Under the hood, this new feature still uses a password that's automatically generated to protect the .pfx file. This password is encrypted using the Windows Data Protection API (DPAPI) and added to the .pfx file. When a protected .pfx file is imported, Windows checks whether the user or computer account that's trying to import the file is on the list of accounts that was configured during the creation of the .pfx file. If that's the case, Windows automatically unprotects the password and gives access to the protected certificate and private key content.

This new feature only works when you export the certificate and private key from a Server 2012 or Windows 8 machine that's an AD domain member. In addition, the machine on which you import the certificate and private key must be joined to a domain where a Server 2012 domain controller (DC) is available.

You can invoke this new feature from the command line when you use either the Windows PowerShell Export-PfxCertificate cmdlet or the Certutil command-line utility to create a .pfx file. Both tools now support the -ProtectTo parameter, which lets you specify the AD account you want to use to protect the certificate and private key.