Re: How do you associate private key with import cert?

From: Michel Gallant \(MVP\) (neutron@istar.ca)
Date: 04/09/03

  • Next message: Steven Grayson [MSFT]: "Re: .NET Cryptography Performance" 
    From: "Michel Gallant \(MVP\)" <neutron@istar.ca>
Date: Wed, 9 Apr 2003 09:38:27 -0400

    Various WinOS store private keys somewhat differently, but for
    Win2000, the following is a good description:

    http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/prork/prdd_sec_grhc.asp
    (section "How Private Keys are Stored")

    The "MY" store is the capi formal name for the alias "Personal" which
    IE certificates panel and Certs snapin use.
    One difference between certs displayed in Certs snapin and the IE certificates
    panel is that the IE display is filtered (i.e. in MY store, only certs with private
    keys and with other characteristics are shown ... don't know the details).
    Certs snap-in should show ALL certs in all stores for CU or LM locations (depending
    on snapin being used).

    In Certs snapin, Certificates | Details
    select "Export to File"
    and select to include the private key (only possible if the private key has
    been marked as exportable when the key-pair was generated) and this
    will generate a .pfx file (pkcs#12 format).

     - Mitch

    "Gavin Bray" <gavin@keytech.com.au.nospam> wrote in message
    news:urFaYwn$CHA.2208@TK2MSFTNGP12.phx.gbl...
    > Mitch
    >
    > I want to generate and store a cert and private key so I can use them to
    > sign a web service soap message using the .NET web services extensions (ie.
    > I need access to the cert and private key). Where does the makecert command
    > I used (below) store the private key? What's the MY store you refer to?
    > Should I be able to see this store using the Certificates snap-in? How do
    > yoy export into pkcs#12 format? Using the Certificates snap-in I can see
    > where you can export using pkcs#7 but not pkcs#12. I just need to know the
    > sequence to create a cert and import it and its private key into a cert
    > store (current user) so I can then use it to generate signatures.
    >
    > Thanks for your assistance
    > Gavin
    >
    > "Michel Gallant (MVP)" <neutron@istar.ca> wrote in message
    > news:OkUexKe$CHA.2396@TK2MSFTNGP12.phx.gbl...
    > > Your command below should generate a new certificate (in MY store)
    > > with associated private key.
    > > If you wish to export the cert. and private key to a new store, you
    > > need to mark the private key as exportable, with -pe switch.
    > > To export the cert plus private key, you EXPORT the certificate, and
    > > include the private key, into a password protected encrypted .pfx
    > (pkcs#12)
    > > file format. On win32, with this format, you can easily import the
    > keys/cert
    > > into any other key store.
    > >
    > > Are you talking about importing the cer file (which never contains
    > > the private key) to another computer? or to another store on the same
    > > computer as that where the cert was originally generated?
    > >
    > > - Mitch
    > >
    > > "Gavin Bray" <gavin@keytech.com.au.nospam> wrote in message
    > > news:OzB7T#Z$CHA.1952@TK2MSFTNGP12.phx.gbl...
    > > > I created a certificate using the makecert.exe that comes with VS.NET
    > > > (v5.131.2157.1).
    > > >
    > > > I used makecert -n "cn=me,o=mycompany,c=us" -r mycert.cer
    > > >
    > > > I then opened up the Certificates MMC snap-in and imported the cer file
    > into
    > > > the Personal certificates store. This worked correctly but when I open
    > the
    > > > cert entry in the store it doesn't indicate any private key.
    > > >
    > > > I then used "Request Certificate with same key" which fails with a
    > "cannot
    > > > contact the active directory" error. However if I now open the cert
    > entry in
    > > > the store it now says "You have a private key that corresponds to this
    > > > certificate". I can also now access this private key programmatically.
    > > >
    > > > How are you supposed to include the private key when importing the
    > > > certificate into the key store?
    > > >
    > > > The way I did it above works but I can't believe this is the correct way
    > to
    > > > do it.
    > > >
    > > > Thanks
    > > > Gavin Bray
    > > >
    > > >
    > >
    > >
    >
    >

  • Next message: Steven Grayson [MSFT]: "Re: .NET Cryptography Performance"

    Relevant Pages

    • Re: ipsec lan: IKE: no private key found, ideas?
      ... > Have you got the certificates in the right stores [sounds like you have ... > For the certs you have, computer personal store and corresponding trusted ... > certificates with new private keys having cleared out [save the existing ...
      (microsoft.public.win2000.security)
    • Copying Certificates from the Trusted Root certs store to the Personal Store on XPsp3
      ... I have successfully distributed a couple of private certificates by GPO ... GPO puts the certs into the container Computer \ Trusted Root ... DOES ANYONE HAVE A COMPREHENSIVE LIST OF CERTIFICATE STORE NAMES? ...
      (microsoft.public.windowsxp.security_admin)
    • Re: CAPICOM VB Newbie seeks help
      ... Signing operations use the certificates private key, ... AD store should have privates keys associated with them so CAPI can not ...
      (microsoft.public.platformsdk.security)
    • Re: Storing certificate on a hardware token (SC)
      ... certificates into MY store at token/card insertion and delete at removal. ... another case you can manually copy the certs from the token (or mark them as ...
      (microsoft.public.platformsdk.security)
    • Re: WSE2.0--need valid X.509 certs created with Makecert
      ... I know that the certificates that I do have, ... the correct permissions. ... > ASPNET on the certificate's private key file. ... > I'd like to use self signed certs for the following reasons: ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Quantcast