Category Archives: Infrastructure

How to extract private key from pfx and remove passphrase using OpenSSL

When I tried to enable SSL for BitTorrent Sync installed on my new NAS Synology 215j it turned out it requires not pfx but private and public keys separately in base64 encoded form.

Here’s the command to extract certificate itself. It will prompt for existing pfx’s passphrase (password):

openssl pkcs12 -in synology.pfx -clcerts -nokeys -out synology.cer

To extract private key. It will prompt for pfx’s passphrase and for a passphrase to add to the key:

openssl pkcs12 -in synology.pfx -nocerts -out synology.private.key

To remove the later passphrase. Now private key doesn’t contain any:

openssl rsa -in synology.private.key -out synology.key

Troubleshooting site-to-site connection in Azure: error 797, 663.

When I created a site-to-site connection in Azure Networks (classic) and tried to connect to the gateway from my on-premise VPN server running on virtual Windows Server 2012 R2 for the first time I found the following error in Application Event Log:

CoId={guid}: The user SYSTEM dialed a connection named {name} which has failed. The error code returned on failure is 797.

Solution: in RRAS -> Ports -> Properties: WAN Winiport (IKEv2) make sure you have at least 1 port enabled.

Next error I got was:

CoId={guid}: The user SYSTEM dialed a connection named {name} which has failed. The error code returned on failure is 663.

Solution: in the same settings make sure you have Demand-dial routing connection (inbound and outbound) enabled.

Happy routing!

Detect whether or not an application is installed on the remote server

When you manage a windows server in core mode you can’t just open Control Panel -> Programs and Features to see whether or not particular application is installed.

Here’s the command for it:

wmic /node:server product where "Name LIKE '%name%'" get name,version

To uninstall it:

wmic /node:server product where "Name LIKE '%name%'" uninstall

Nkre: the later might not always work, probably depends on how its uninstaller was written.

Certificate enrollment policy server URI format

If you try to request a certificate from non-domain joined machine using the certificates snap-in (CertMgr.msc) then you need to install on the server hosting your Certificate Authority the following components:

(maybe you need just one of them but I’ve installed both)

and then enter its URI in the following format:

https://<FQDN>/ADPolicyProvider_CEP_Kerberos/service.svc/CEP

How to configure RDG behind NAT

This week’s problem was to make working Remote Desktop Gateway located behind a NAT. Here’s the lessons learned:

  • Issue an SSL certificate with the subject matching public DNS name (FQDN)
  • Use the default port 3389/TCP, otherwise SSL certificate’s name won’t match FQDN returning an error:

    The computer can’t verify the identity of the RD Gateway.

    or if you put it to current user’s Trusted Root Certification Authorities:

    Your computer can’t connect to the computer because the Remote Desktop Gateway server address requested and the certificate name do not match.

  • Publish on the firewall, i.e. make available from outside, HTTPS port 443/TCP. Otherwise connection won’t be established returning another meaningless error:

    Your computer can’t connect to the remote computer because the RDG server is temporarily unavailable.

That’s all, folks!

How to re-create symlinks of VM configs in Hyper-V using PowerShell

Hyper-V keeps VM configs at %ProgramData%\Microsoft\Windows\Hyper-V\Virtual Machines\ as a symlink to the original location.

You may get them broken due to various reasons, e.g.:

  • Server disaster
  • Upgrade to next version of OS/Hyper-V and then rollback
  • Migration

To restore functioning you need to create a symlink for each xml config, i.e.:

mklink %ProgramData%\Microsoft\Windows\Hyper-V\Virtual Machines\{guid}.xml d:\MyVM\Virtual Machines\{guid}.xml

But how to automate this if you have tens of VMs? Here’s the command:


Get-ChildItem -Recurse *.xml | New-Symlink -LiteralPath { Join-Path -Path '%ProgramData%\Microsoft\Windows\Hyper-V\Virtual Machines\' -ChildPath $_.Name } -TargetPath { $_.FullName }

How to select Azure subscription if you have more than one using PowerShell

If you have more than one Azure subscription in your account and try to upload a vhd using the instruction:

  1. Get-AzurePublishSettingsFile
  2. Import-AzurePublishSettingsFile d:\credentials.publishsettings
  3. Add-AzureVhd -LocalFilePath d:\my.vhd -Destination http://example.com/blob/container

You may get an error saying that selected account doesn’t have given blob.
That’s because the first subscription is selected by default and the target blob is in the another one.

To select the proper subscription use the following command:

Get-AzureSubscription | Select -Last 1 | Select-AzureSubscription

(For instance, the last one).