Re: Certificate Management Tools

From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 04/27/05 

Date: Wed, 27 Apr 2005 10:57:35 -0600

"TC" <golemdanube@yahoo.com> writes:
> I have also determined that I do not have the ability to create such a
> certificate. I have Microsoft's selfcert.exe and the certification
> authoriy included with Microsoft Windows 2003 Server. With these tools,
> I can create certificates, but I have no control over the expiration
> date and I cannot export the private key (and therefore can only apply
> the certificate from the computer on which it was created).

private keys are stored in some sort of encrypted file ... totally
separate from any certicate.

at least one vendor has a virus demo where they copy an encrypted
private key file off a victim machine and break the encryption in
something like an avg. of 40-50 seconds (brute force guessing on
secret/symmetric key used to encrypt the private key file).

In PGP and SSH it is relatively trivial to identify the encrypted
private key file ... and copy it across multiple machines ... however
these implementations also make due w/o requiring public key
certificates.

quicky use of search engine turns up this ssh for windows:
http://www.jfitz.com/tips/ssh_for_windows.html
http://sshwindows.sourceforge.net/
http://bmrc.berkeley.edu/people/chaffee/winntutil.html

commercial ssh web site:
http://www.ssh.com/products/tectia/

open ssl has an application for generating certificates
http://www.openssl.org/

also using search engine ... the first several sites
that come up about generating certificate
http://slacksite.com/apache/certificate.html
http://tirian.magd.ox.ac.uk/~nick/openssl-certs/ca.shtml
http://www.pseudonym.org/ssl/ssl_cook.html
http://www.geotrusteurope.com/support/csr/csr_apache.htm
http://www.ssl.com/support/apacheOpenSSLInstall.jsp
http://www.rajeevnet.com/crypto/ca/ca-paper.html
http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-openssl.html
http://sial.org/howto/openssl/ca/ 

-- 
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

Relevant Pages

  • Re: DRA is Decrypting Files when it shouldnt be!!!
    ... > EFS is allowing the RA to decrypt 200 files that were encrypted BEFORE an RA ... > encryption to get the RA to decrypt encrypted files. ... the default RA certificate was used. ... certificate and private key only when needed). ...
    (microsoft.public.windowsxp.security_admin)
  • Re: EFS and DRA. Admin unable to decrypt
    ... >So the certificate is used to identify the user & the ... EFS encryption key, the system will generate one for him. ... file using *his* private key, because his public key was incorporated ... into the public-key encryption of the FEK. ...
    (microsoft.public.windowsxp.security_admin)
  • Key Recovery and Decryption
    ... I had the encryption key backed up on ... and designating a Data Recovery Agent. ... to install the Administrator's Data Recovery Certificate ... corresponding private key but if I try to export this ...
    (microsoft.public.windowsxp.security_admin)
  • Re: securing folder on external disk(s)
    ... > where the encryption comes in I think). ... > If, as you advices, I'd use the EFS. ... The key is a self-signed certificate that is generated the first time ... them _as long as the private key is unknown_. ...
    (microsoft.public.security)
  • Re: EFS...can it be given to a group or folder ..win2003
    ... If you export a certificate from the Certificates mmc snapin and have the ... private key present, you can export with private key - that will generate a ... This posting is provided "AS IS" with no warranties, and confers no rights. ... >>> encryption, ...
    (microsoft.public.windows.file_system)