Amy's problem is almost as you described in ".. private key doesn't exist there and so the traffic cannot be decrypted ..", except that traffic was never encrypted to begin with. CSR: Certificate Signing Request. This is a file which defines the operational aspects of the certificate to be issued. If contains no keys or anything else of operational value. CER file: this contains the issued certificate, including the public key used to sign it. PFX: this is a certificate file which includes both public and private keys. When an application (such as the IIS weirdzard) builds a cert request, it generates the private key and stores it in the CAPI store. This location is dependent on how the app is written, but the IIS cert weirdard stores it in the local machine "personal" (or "my") store. This key remains in this store until destroyed. When you export the certificate which was issued based on the CSR created with reference to the private key, you generate a special file (PFX in most cases). When this file is created, the cert manglement MMC offers you the ability to say "private key is not exportable". Likewise, simply copying a certificate from the machine where it was requested to another machine will not provide a functional SSL listener because (as in Amy's case), the private key does not automatically travel with the certificate itself. If the certificate was originally issued as "private key not exportable", then you have to get the cert rekeyed (again, as Amy did). The computer cert vs. web server cert is a good point; the cert should have that information contained in it. Jim From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Monday, November 24, 2008 5:07 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: certificate keys Hmm... All right... answered my own questions. The CSR simply provides the public information required by the CA to generate the CER, which just holds the public key of the certificate. During generation of the CSR, however, the private key is created on the server that generated it - it just isn't shared (like I incorrectly thought it was) via the CSR. Interestingly enough, the .cer file can be installed on another system and even configured to be used with a website. Attempts to browse that website, however, will fail - browser just keeps throwing "cannot establish connection" errors. I'm guessing this is because the private key doesn't exist there and so the traffic cannot be decrypted. Now, as to why the certificate Amy was trying to export would not allow her to do so, the only time I've seen that scenario is when the certificate is based off the Computer Certificate Template instead of the Web Server Certificate Template (assuming internal CA - don't think public CAs populate this field) or you are viewing the certificates remotely through the Certificates MMC. Thanks for putting up with my muddling. :) On Sun, Nov 23, 2008 at 6:05 PM, Jerry G. Young II <jerrygyoungii@xxxxxxxxx<mailto:jerrygyoungii@xxxxxxxxx>> wrote: Jim, I'm missing something, then. If the .cer file is just the public key of the certificate authority, why would you be able to view the certificate on a system where the private key didn't exist (as CSR)? For that matter, why is the CSR required if you're just getting the public key in return? I had always thought the .cer file was the pairing of the server's private key with the certificate authority's public key? Granted, to move that certificate between servers you need to export to a .pfx file but my point is that the .cer file could be installed on the published server, after which the private certificate could be exported. Since Amy said she had the .cer file, that's what I was suggesting. Cordially yours, Jerry G. Young II +=+ Sent via iPhone +=+ On Nov 23, 2008, at 3:14 PM, Jim Harrison <Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote: Actually, it won't. The .cer file contains only the public key. The private key is only contained in a PFX-format file. -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> [mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On Behalf Of Jerry Young Sent: Sunday, November 23, 2008 10:17 AM To: isapros@xxxxxxxxxxxxx<mailto:isapros@xxxxxxxxxxxxx> Subject: [isapros] Re: certificate keys The CER file will have both the public and private keys in it (since it's a compilation of the server's private key [CSR] and the certificate authority's public key). You just need to import it into the certificate store on the server the CSR for it was created. On Sun, Nov 23, 2008 at 11:02 AM, Amy Babinchak <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx<mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>> wrote: I have the original cer file. But that doesn't do me much good. There's no .pfx file with it so I can't import with private keys. I could probably ask for a rekey of the certificate. thanks, Amy Babinchak Harbor Computer Services | 248-850-8616 Mobile 248-890-1794 Web http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/> <http://www.harborcomputerservices.net/> Client Blog http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/> <http://smalltechnotes.blogspot.com/> Tech Blog http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/> <http://securesmb.harborcomputerservices.net/> Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html <http://www.shannonrealty.com/vassar_mls_tour.html> Are you an IT Pro? http://www.thirdtier.net<http://www.thirdtier.net/> <http://www.thirdtier.net/> From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> [mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On Behalf Of Jerry Young Sent: Sunday, November 23, 2008 9:39 AM To: isapros@xxxxxxxxxxxxx<mailto:isapros@xxxxxxxxxxxxx> Subject: [isapros] Re: certificate keys When does the certificate expire? If you can't find the original PFX or CER file for the certificate, you're unfortunately not going to be able to recreate the private key for the current certificate. What you can do, however, is renew it. During renewal, you should be able to get the private key for the new certificate that way. On Sun, Nov 23, 2008 at 7:17 AM, Amy Babinchak <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx<mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>> wrote: No they aren't on this server. thanks, Amy Babinchak Harbor Computer Services | 248-850-8616 Mobile 248-890-1794 Web http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/> <http://www.harborcomputerservices.net/> Client Blog http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/> <http://smalltechnotes.blogspot.com/> Tech Blog http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/> <http://securesmb.harborcomputerservices.net/> Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html Are you an IT Pro? http://www.thirdtier.net<http://www.thirdtier.net/> <http://www.thirdtier.net/> -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> [mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On Behalf Of Jim Harrison Sent: Sunday, November 23, 2008 12:01 AM To: isapros@xxxxxxxxxxxxx<mailto:isapros@xxxxxxxxxxxxx> Subject: [isapros] Re: certificate keys Sorry, but no. You don't have the original PFX file? -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx> [mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On Behalf Of Amy Babinchak Sent: Saturday, November 22, 2008 4:23 PM To: isapros@xxxxxxxxxxxxx<mailto:isapros@xxxxxxxxxxxxx> Subject: [isapros] certificate keys Is there some way to create certificate keys after a certificate has been installed? When I choose export the key isn't an option. I need to regenerate it somehow. thanks, Amy Babinchak Harbor Computer Services | 248-850-8616 Mobile 248-890-1794 Web http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/> <http://www.harborcomputerservices.net/> <http://www.harborcomputerservices.net/> Client Blog http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/> <http://smalltechnotes.blogspot.com/> <http://smalltechnotes.blogspot.com/> Tech Blog http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/> <http://securesmb.harborcomputerservices.net/> <http://securesmb.harborcomputerservices.net/> Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html <http://www.shannonrealty.com/vassar_mls_tour.html> Are you an IT Pro? http://www.thirdtier.net<http://www.thirdtier.net/> <http://www.thirdtier.net/> <http://www.thirdtier.net/> Number : 2141393. ExchangeDefender Message Security: Check Authenticity <http://www.exchangedefender.com/verify.asp?id=mAN0GfRW020944&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer ExchangeDefender Message Security: Check Authenticity <http://www.exchangedefender.com/verify.asp?id=mANFuOxU019767&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer