0

I am fairly new to certificates in general and have setup my own standalone CA for testing purposes. I have noticed some interesting behavior of private keys which I'm trying to find some documentation on.

In Certificate Authority Console (certsvr / Windows Server)

  • If I create a certificate request marking my certificate as exportable, submit it, approve it and then export it in the certificate authority (export as binary), I am able to export it with the private key. However, I can only do it once. The next time I try it again, the private key is no longer there. Is this correct? Is the private key always included only on the first export?

  • When importing a certificate with a private key, whether using certutil or the mmc snap in, sometimes I notice that the file I exported from is no longer valid. So now to make sure I don't lose the key in the file, I always create a copy first.

I seem to keep losing the private key. I'ved often saved files (.pfx) and import them, delete the certificate in my store only to find out that the same file doesn't have a private key anymore when I tried to import it again. This is okay for now since I'm just using this for testing but if any one has detailed understanding of how this work then that would be great.

Kjartan
  • 999
  • 11
  • 17
MichaelChan
  • 225
  • 1
  • 3
  • 8
  • 6
    I'm confused - why would the CA have the cert's private key? – Neil Smithline Jan 06 '16 at 05:12
  • When I created the Certificate Request, I marked it as "Make Private Key Exportable". So when I go to my CA and export the issued certificate, it contains the private key. This is what I use to install it in the client machine. – MichaelChan Jan 06 '16 at 20:05
  • 1
    So you are including the private key in the cert request? Why are you doing that? At least in the non-MS world, that is a peculiar thing to do. Perhaps you're running into some MS-specific weirdness? – Neil Smithline Jan 06 '16 at 21:40
  • As I understand, if I am doing a 2 way SSL handshake, as the client, my installed certificate should have the private key right? Otherwise, I get an exception like "ssl connection could not be established". Or should that not be the case? Also, when installing certificate particularly in IIS, I can't install it unless it is in pfx format which would have the private key. – MichaelChan Jan 06 '16 at 21:48
  • The client needs the public key, but not the CA. I had never heard of sending the private key to the CA but, based on your comment, I googled "Make Private Key Exportable" and see that it is an MS thing. I don't know why it exists. – Neil Smithline Jan 06 '16 at 21:50
  • Agree, I don't have any problems with the CA not having the private key. To be clear, I'm exporting from the Certificate Authority (certsvr) is the issued client certificate. I'll update my question further to make clear this is the case. – MichaelChan Jan 07 '16 at 00:57
  • @NeilSmithline There are cases where private key recovery is useful, e.g. when the key is used to encrypt emails or backups. In those cases, a lost key would render the data irrecoverable, so having it available from the CA would be useful. But apart from those cases, the CA shouldn't have or need to have the private key. (Key recovery is available in other CA platforms as well, e.g. EJBCA.) – Jenny D Apr 08 '16 at 11:12

2 Answers2

0

One of the important detail that I discovered about exporting and importing private keys from a Windows Server Certificate Authority scenario is that it is important that the certificate request is made on the same machine where you will be importing the request. This is why there were some instances where after importing the certificate, the private key is not present. This is common since I was playing around with a stand alone server.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/66f1181b-7a51-4943-949e-933b94b5f712/how-do-i-create-certificate-w-private-key-with-my-standalone-ca?forum=winserversecurity

I have found some documentation regarding key archival and retrieval but is only relevant if you are using an enterprise CA.

https://technet.microsoft.com/en-us/library/cc781351(v=ws.10).aspx

MichaelChan
  • 225
  • 1
  • 3
  • 8
0

Is the private key always included only on the first export?

No. Unless you selected the Delete the private key if the export is successful option on the first export.

(export as binary)

What do you mean? Do you mean that you selected the option named DER encoded binary X.509 (.CER)? Windows only exports private keys to files of type .PFX.

file I exported from is no longer valid.

That sounds terrible. And is unlike anything I have ever heard before. Are you sure? Could you make sure by comparing the files with a checksum utility?

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
  • I'm referring to Certificate Authority console (certsvr) in Windows Server in the question and not the certificate store snap in that we usually use to install / export certificates. – MichaelChan Jun 08 '16 at 01:22