Connecting the world…


FortiClient SSLVPN – export profiles

I am using the FortiClient SSLVPN lightweight application for SSL VPN access to client networks. In the GUI you don’t have options to export the configured profiles as you have with the full-featured FortiClient SSLVPN. The profiles for the lightweight version are stored in the registry, so you can export and import from there. The registry location is:



Useful command: netsh wlan

The management of wireless networks can be done via the Windows command “netsh wlan”. This command is especially useful when using Windows 8. You can use other “netsh” subcommands to retrieve other system information, like “netsh lan” to get information about your Wired AutoConfig Service settings.

The following table describes some options for “netsh wlan”.

Command Description
show profiles show all save profiles
delete profile name=”profile name” delete a specific profile
show profile name=”profile name” key=clear retrieve saved WPA2 PSK
show wlanreport report showing recent wireless session information
export profile “profile name” folder=c:\export export a profile with all settings to the directory c:\export
add profile filename=”c:\export\filename” user=all import a profile with all settings to all users profiles
show profile “profile name” display information on the specific wifi network
show interfaces shows a list of the wireless LAN interfaces on the system
show all display information on all currently available wifi networks
set profileorder name=”profile name” interface=”Wi-Fi” priority=1 change the priority of a wifi network

There are a lot more useful commands available. You can always use the question mark to get more options.

Export StartTLS certificate from SMTP server

While configuring Office365 as the messaging (SMTP) server within Aruba ClearPass, I needed to upload the certificate from the StartTLS session to the certificate trust list from ClearPass. I had to export the certificate for via the following OpenSSL command:

openssl s_client -showcerts -starttls smtp -crlf -connect

After running the command, you will see some output like shown in the image.

openssl starttls

I copied the both parts between BEGIN CERTIFICATE and END CERTIFICATE to two different text editore files and saved them with the extension .cer. Next I was able to upload both certificates to the certificate trust list in ClearPass and configure the message server with StartTLS Connection Security

Windows CA template – web server and private key export

Creating a web server certificate request is very easy when using a Windows CA server. There is one disadvantage. The requested certificate is directly stored in the user store (by default) or the local computer store, if specified during the request. The disadvantage is that you cannot export the requested certificate including the private keys. During the request the option to Mark keys as exportable is grayed out.

There is a way to mark the keys as exportable when using a Windows CA server. You need to create a new Web Server Certificate template. You can use the existing Web Server Certificate Template as default and copy the current settings. To do so, you just:

  • run certtmpl.msc, which will open the Certificate Template snap-in;
  • click the Web Server certificate template;
  • choose Action – Duplicate Template;
  • configure a unique template name;
  • choose the tab Request Handling;
  • enable the option Allow private key to be exported;

That is all you need to do. You can now request a new certificate with the newly create certificate template. After the certificate is issued and installed on the user or local computer store, you can export the certificate including the private key.

Duplicate certificate template

Allow private key to be exported