[isapros] Re: certificate keys

  • From: "Jerry Young" <jerrygyoungii@xxxxxxxxx>
  • To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
  • Date: Mon, 24 Nov 2008 08:07:21 -0500

Hmm...

All right... answered my own questions.  The CSR simply provides the public
information required by the CA to generate the CER, which just holds the
public key of the certificate.  During generation of the CSR, however, the
private key is created on the server that generated it - it just isn't
shared (like I incorrectly thought it was) via the CSR.

Interestingly enough, the .cer file can be installed on another system and
even configured to be used with a website.  Attempts to browse that website,
however, will fail - browser just keeps throwing "cannot establish
connection" errors. I'm guessing this is because the private key doesn't
exist there and so the traffic cannot be decrypted.

Now, as to why the certificate Amy was trying to export would not allow her
to do so, the only time I've seen that scenario is when the certificate is
based off the Computer Certificate Template instead of the Web Server
Certificate Template (assuming internal CA - don't think public CAs populate
this field) or you are viewing the certificates remotely through the
Certificates MMC.

Thanks for putting up with my muddling. :)

On Sun, Nov 23, 2008 at 6:05 PM, Jerry G. Young II
<jerrygyoungii@xxxxxxxxx>wrote:

> Jim,
>
> I'm missing something, then.  If the .cer file is just the public key of
> the certificate authority, why would you be able to view the certificate on
> a system where the private key didn't exist (as CSR)?  For that matter, why
> is the CSR required if you're just getting the public key in return?
>
> I had always thought the .cer file was the pairing of the server's private
> key with the certificate authority's public key?  Granted, to move that
> certificate between servers you need to export to a .pfx file but my point
> is that the .cer file could be installed on the published server, after
> which the private certificate could be exported.
>
> Since Amy said she had the .cer file, that's what I was suggesting.
>
> Cordially yours,
> Jerry G. Young II
> +=+ Sent via iPhone +=+
>
>
> On Nov 23, 2008, at 3:14 PM, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
>
> Actually, it won't.  The .cer file contains only the public key.
>> The private key is only contained in a PFX-format file.
>>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Jerry Young
>> Sent: Sunday, November 23, 2008 10:17 AM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: certificate keys
>>
>> The CER file will have both the public and private keys in it (since it's
>> a compilation of the server's private key [CSR] and the certificate
>> authority's public key).  You just need to import it into the certificate
>> store on the server the CSR for it was created.
>>
>>
>> On Sun, Nov 23, 2008 at 11:02 AM, Amy Babinchak <
>> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>>
>>   I have the original cer file. But that doesn't do me much good. There's
>> no .pfx file with it so I can't import with private keys.
>>
>>
>>
>>   I could probably ask for a rekey of the certificate.
>>
>>
>>
>>   thanks,
>>
>>
>>
>>   Amy Babinchak
>>
>>
>>
>>   Harbor Computer Services | 248-850-8616
>>
>>
>>
>>   Mobile 248-890-1794
>>
>>   Web   http://www.harborcomputerservices.net <
>> http://www.harborcomputerservices.net/>
>>
>>   Client Blog   http://smalltechnotes.blogspot.com <
>> http://smalltechnotes.blogspot.com/>
>>
>>   Tech Blog   http://securesmb.harborcomputerservices.net <
>> http://securesmb.harborcomputerservices.net/>
>>
>>
>>
>>   Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html <
>> http://www.shannonrealty.com/vassar_mls_tour.html>
>>
>>
>>
>>   Are you an IT Pro?  http://www.thirdtier.net <http://www.thirdtier.net/
>> >
>>
>>
>>
>>   From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Jerry Young
>>   Sent: Sunday, November 23, 2008 9:39 AM
>>
>>   To: isapros@xxxxxxxxxxxxx
>>   Subject: [isapros] Re: certificate keys
>>
>>
>>
>>
>>
>>   When does the certificate expire?
>>
>>
>>
>>   If you can't find the original PFX or CER file for the certificate,
>> you're unfortunately not going to be able to recreate the private key for
>> the current certificate.
>>
>>
>>
>>   What you can do, however, is renew it.  During renewal, you should be
>> able to get the private key for the new certificate that way.
>>
>>   On Sun, Nov 23, 2008 at 7:17 AM, Amy Babinchak <
>> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>
>>   No they aren't on this server.
>>
>>
>>   thanks,
>>
>>   Amy Babinchak
>>
>>   Harbor Computer Services | 248-850-8616
>>
>>   Mobile 248-890-1794
>>   Web   http://www.harborcomputerservices.net <
>> http://www.harborcomputerservices.net/>
>>
>>   Client Blog   http://smalltechnotes.blogspot.com <
>> http://smalltechnotes.blogspot.com/>
>>
>>   Tech Blog   http://securesmb.harborcomputerservices.net <
>> http://securesmb.harborcomputerservices.net/>
>>
>>   Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html
>>
>>   Are you an IT Pro?  http://www.thirdtier.net <http://www.thirdtier.net/
>> >
>>
>>
>>
>>   -----Original Message-----
>>   From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Jim Harrison
>>   Sent: Sunday, November 23, 2008 12:01 AM
>>   To: isapros@xxxxxxxxxxxxx
>>
>>   Subject: [isapros] Re: certificate keys
>>
>>   Sorry, but no.
>>   You don't have the original PFX file?
>>
>>   -----Original Message-----
>>   From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Amy Babinchak
>>   Sent: Saturday, November 22, 2008 4:23 PM
>>   To: isapros@xxxxxxxxxxxxx
>>   Subject: [isapros] certificate keys
>>
>>   Is there some way to create certificate keys after a certificate has
>> been installed? When I choose export the key isn't an option. I need to
>> regenerate it somehow.
>>
>>
>>
>>   thanks,
>>
>>
>>
>>   Amy Babinchak
>>
>>
>>
>>   Harbor Computer Services | 248-850-8616
>>
>>
>>
>>   Mobile 248-890-1794
>>
>>   Web   http://www.harborcomputerservices.net <
>> http://www.harborcomputerservices.net/>  <
>> http://www.harborcomputerservices.net/>
>>
>>   Client Blog   http://smalltechnotes.blogspot.com <
>> http://smalltechnotes.blogspot.com/>  <
>> http://smalltechnotes.blogspot.com/>
>>
>>   Tech Blog   http://securesmb.harborcomputerservices.net <
>> http://securesmb.harborcomputerservices.net/>  <
>> http://securesmb.harborcomputerservices.net/>
>>
>>
>>
>>   Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html <
>> http://www.shannonrealty.com/vassar_mls_tour.html>
>>
>>
>>
>>   Are you an IT Pro?  http://www.thirdtier.net <http://www.thirdtier.net/>
>>  <http://www.thirdtier.net/>
>>
>>   Number : 2141393.
>>
>>
>>   ExchangeDefender Message Security: Check Authenticity <
>> http://www.exchangedefender.com/verify.asp?id=mAN0GfRW020944&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
>> >
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>   --
>>   Cordially yours,
>>   Jerry G. Young II
>>   Microsoft Certified Systems Engineer
>>
>>
>>   ExchangeDefender Message Security: Check Authenticity <
>> http://www.exchangedefender.com/verify.asp?id=mANFuOxU019767&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
>> >
>>
>>
>>
>>
>>
>> --
>> Cordially yours,
>> Jerry G. Young II
>> Microsoft Certified Systems Engineer
>>
>>
>>


-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

Other related posts:

  1. Home
  2. isapros
  3. Archive
  4. 11-2008