[isapros] Re: certificate keys
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
- Date: Mon, 24 Nov 2008 05:49:49 -0800
Amy's problem is almost as you described in ".. private key doesn't exist there
and so the traffic cannot be decrypted ..", except that traffic was never
encrypted to begin with.
CSR: Certificate Signing Request. This is a file which defines the operational
aspects of the certificate to be issued. If contains no keys or anything else
of operational value.
CER file: this contains the issued certificate, including the public key used
to sign it.
PFX: this is a certificate file which includes both public and private keys.
When an application (such as the IIS weirdzard) builds a cert request, it
generates the private key and stores it in the CAPI store. This location is
dependent on how the app is written, but the IIS cert weirdard stores it in the
local machine "personal" (or "my") store. This key remains in this store until
destroyed. When you export the certificate which was issued based on the CSR
created with reference to the private key, you generate a special file (PFX in
most cases). When this file is created, the cert manglement MMC offers you the
ability to say "private key is not exportable".
Likewise, simply copying a certificate from the machine where it was requested
to another machine will not provide a functional SSL listener because (as in
Amy's case), the private key does not automatically travel with the certificate
itself. If the certificate was originally issued as "private key not
exportable", then you have to get the cert rekeyed (again, as Amy did). The
computer cert vs. web server cert is a good point; the cert should have that
information contained in it.
Jim
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Monday, November 24, 2008 5:07 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: certificate keys
Hmm...
All right... answered my own questions. The CSR simply provides the public
information required by the CA to generate the CER, which just holds the public
key of the certificate. During generation of the CSR, however, the private key
is created on the server that generated it - it just isn't shared (like I
incorrectly thought it was) via the CSR.
Interestingly enough, the .cer file can be installed on another system and even
configured to be used with a website. Attempts to browse that website,
however, will fail - browser just keeps throwing "cannot establish connection"
errors. I'm guessing this is because the private key doesn't exist there and so
the traffic cannot be decrypted.
Now, as to why the certificate Amy was trying to export would not allow her to
do so, the only time I've seen that scenario is when the certificate is based
off the Computer Certificate Template instead of the Web Server Certificate
Template (assuming internal CA - don't think public CAs populate this field) or
you are viewing the certificates remotely through the Certificates MMC.
Thanks for putting up with my muddling. :)
On Sun, Nov 23, 2008 at 6:05 PM, Jerry G. Young II
<jerrygyoungii@xxxxxxxxx<mailto:jerrygyoungii@xxxxxxxxx>> wrote:
Jim,
I'm missing something, then. If the .cer file is just the public key of the
certificate authority, why would you be able to view the certificate on a
system where the private key didn't exist (as CSR)? For that matter, why is
the CSR required if you're just getting the public key in return?
I had always thought the .cer file was the pairing of the server's private key
with the certificate authority's public key? Granted, to move that certificate
between servers you need to export to a .pfx file but my point is that the .cer
file could be installed on the published server, after which the private
certificate could be exported.
Since Amy said she had the .cer file, that's what I was suggesting.
Cordially yours,
Jerry G. Young II
+=+ Sent via iPhone +=+
On Nov 23, 2008, at 3:14 PM, Jim Harrison
<Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote:
Actually, it won't. The .cer file contains only the public key.
The private key is only contained in a PFX-format file.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>
[mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On
Behalf Of Jerry Young
Sent: Sunday, November 23, 2008 10:17 AM
To: isapros@xxxxxxxxxxxxx<mailto:isapros@xxxxxxxxxxxxx>
Subject: [isapros] Re: certificate keys
The CER file will have both the public and private keys in it (since it's a
compilation of the server's private key [CSR] and the certificate authority's
public key). You just need to import it into the certificate store on the
server the CSR for it was created.
On Sun, Nov 23, 2008 at 11:02 AM, Amy Babinchak
<amy@xxxxxxxxxxxxxxxxxxxxxxxxxx<mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>> wrote:
I have the original cer file. But that doesn't do me much good. There's no
.pfx file with it so I can't import with private keys.
I could probably ask for a rekey of the certificate.
thanks,
Amy Babinchak
Harbor Computer Services | 248-850-8616
Mobile 248-890-1794
Web
http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/>
<http://www.harborcomputerservices.net/>
Client Blog
http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/>
<http://smalltechnotes.blogspot.com/>
Tech Blog
http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/>
<http://securesmb.harborcomputerservices.net/>
Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html
<http://www.shannonrealty.com/vassar_mls_tour.html>
Are you an IT Pro? http://www.thirdtier.net<http://www.thirdtier.net/>
<http://www.thirdtier.net/>
From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>
[mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On
Behalf Of Jerry Young
Sent: Sunday, November 23, 2008 9:39 AM
To: isapros@xxxxxxxxxxxxx<mailto:isapros@xxxxxxxxxxxxx>
Subject: [isapros] Re: certificate keys
When does the certificate expire?
If you can't find the original PFX or CER file for the certificate, you're
unfortunately not going to be able to recreate the private key for the current
certificate.
What you can do, however, is renew it. During renewal, you should be able to
get the private key for the new certificate that way.
On Sun, Nov 23, 2008 at 7:17 AM, Amy Babinchak
<amy@xxxxxxxxxxxxxxxxxxxxxxxxxx<mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>> wrote:
No they aren't on this server.
thanks,
Amy Babinchak
Harbor Computer Services | 248-850-8616
Mobile 248-890-1794
Web
http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/>
<http://www.harborcomputerservices.net/>
Client Blog
http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/>
<http://smalltechnotes.blogspot.com/>
Tech Blog
http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/>
<http://securesmb.harborcomputerservices.net/>
Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html
Are you an IT Pro? http://www.thirdtier.net<http://www.thirdtier.net/>
<http://www.thirdtier.net/>
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>
[mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On
Behalf Of Jim Harrison
Sent: Sunday, November 23, 2008 12:01 AM
To: isapros@xxxxxxxxxxxxx<mailto:isapros@xxxxxxxxxxxxx>
Subject: [isapros] Re: certificate keys
Sorry, but no.
You don't have the original PFX file?
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>
[mailto:isapros-bounce@xxxxxxxxxxxxx<mailto:isapros-bounce@xxxxxxxxxxxxx>] On
Behalf Of Amy Babinchak
Sent: Saturday, November 22, 2008 4:23 PM
To: isapros@xxxxxxxxxxxxx<mailto:isapros@xxxxxxxxxxxxx>
Subject: [isapros] certificate keys
Is there some way to create certificate keys after a certificate has been
installed? When I choose export the key isn't an option. I need to regenerate
it somehow.
thanks,
Amy Babinchak
Harbor Computer Services | 248-850-8616
Mobile 248-890-1794
Web
http://www.harborcomputerservices.net<http://www.harborcomputerservices.net/>
<http://www.harborcomputerservices.net/>
<http://www.harborcomputerservices.net/>
Client Blog
http://smalltechnotes.blogspot.com<http://smalltechnotes.blogspot.com/>
<http://smalltechnotes.blogspot.com/> <http://smalltechnotes.blogspot.com/>
Tech Blog
http://securesmb.harborcomputerservices.net<http://securesmb.harborcomputerservices.net/>
<http://securesmb.harborcomputerservices.net/>
<http://securesmb.harborcomputerservices.net/>
Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html
<http://www.shannonrealty.com/vassar_mls_tour.html>
Are you an IT Pro? http://www.thirdtier.net<http://www.thirdtier.net/>
<http://www.thirdtier.net/> <http://www.thirdtier.net/>
Number : 2141393.
ExchangeDefender Message Security: Check Authenticity
<http://www.exchangedefender.com/verify.asp?id=mAN0GfRW020944&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
ExchangeDefender Message Security: Check Authenticity
<http://www.exchangedefender.com/verify.asp?id=mANFuOxU019767&from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Other related posts:
