Re: Private key generation

As I wrote in my first answer to that thread - there are many situations when key pair is generated on trusted server. Some encryption schemes (like f.e. identity based encryption) simply requires generation of private key on server (which in latter case is serving role of key distribution center)... however one of the major reasons is that on corporate networks it is important to have reliable key escrow mechanisms. Whatever you produce while you are working for a company is an asset of that company and company must have guaranteed access to their assets...
High assurance keys (especially these that afterward are split in multiple shares using secret sharing schemes) may also require use of specialized equipment and computers that runs in a tempest/EM shielded locations. Plus many more reasons...
Microsoft certificate server could support such scenarios, but requires third-party CSPs and custom policy/exit modules. Default scenario supported by Microsoft Certificate Server is the most standard CA mode when CA just signs X509 certificate with emedded public keys.

-Valery.
http://www.harper.no/valery

"Mitch Gallant" <jensigner@xxxxxxxxxxxxxxxx> wrote in message news:%237fwtMkPGHA.428@xxxxxxxxxxxxxxxxxxxxxxx
Actually ... there are SOME models where the RSA key pair IS generated
on the server (some company in Texas, I believe do that!) ..
designed for roaming profiles or something ..
I guess the idea is that the company deploying that service can GUARANTEE
to store the private keys (and distribute them on demand) to the clients as
needed .. notwithstanding the issues with big-brother peeking at allo those "secured"
server private keys!
- Mitch Gallant

"Valery Pryamikov" <valery@xxxxxxxxx> wrote in message news:%23e$SSBkPGHA.3728@xxxxxxxxxxxxxxxxxxxxxxx
Probably... I agree that it could be a bit misleading, but nevertheless this bullet is correct, esp. if we cite it completely and reflect what it actually means :-)

"Generating a private key and distributing it to the requester's protected certificate store (CryptoAPI and cryptographic service providers)."

-Valery.
http://www.harper.no/valery

"Mitch Gallant" <jensigner@xxxxxxxxxxxxxxxx> wrote in message news:uQGWr5jPGHA.2828@xxxxxxxxxxxxxxxxxxxxxxx
I think the OP was referring to this bullet:
.. " Generating a private key and distributing it to the requester's protected certificate store "
which is a bit misleading.
That is the client part of the service ... which does generate the private key (locally) and
installs it to the local "protected certificate store" ..
which probablyl means DPAPI secured storage in a capi "keycontainer" file.

- Mitch Gallant
MVP Security

"Valery Pryamikov" <valery@xxxxxxxxx> wrote in message news:uqZgmFjPGHA.2124@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
you have probably misread the article to which you are referring in your post. I've searched the article for occurrences of word "private" and the only place where they mistakenly used it instead of "public" was when they described what information about allocated certificates are archived on CA... but otherwise the article always states that private keys are generated by certificate requestors...
However, there are plenty situations when generation of private key on trusted server makes a perfect sense and is actually done that way. Such situations may vary from generation of high assurance private keys, enrolling private keys on tamper resistant devices, enterprise key escrow schemes, identity based encryption and many others.

-Valery.
http://www.harper.no/valery


"Francesco" <Francesco@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:544AB09C-D174-4E82-B242-3B669B9BA97D@xxxxxxxxxxxxxxxx
Hi,
I've read that in a certificate request the private key is generated by CA
and then sent to requester.

(http://technet2.microsoft.com/WindowsServer/en/Library/d7cd44f4-b39a-4d35-bb56-a239f72b7e4c1033.mspx)

Is this correct?
I believe that private and public keys are created by client (maybe csp) and
then, the public key, sent to the CA. In this way private key never pass
trougth the net.

Any suggestion?

Thanks

Francesco










.

Relevant Pages

  • Re: Certificate key access under Network Service in IIS 6
    ... Haven't done that because I've been remoted in to the customer's server. ... It is likely the private key file but might be a registry key as well. ... I can get the signing process to work if I have the IIS Application Pool configured to run under SYSTEM but running under the preferred NETWORK SERVICE account the private key access of the certificate fails. ...
    (microsoft.public.dotnet.security)
  • Re: How to use certificates?
    ... I expect that server will know the client public key, ... > private key for that certificate. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: trouble using SSL on WSUS
    ... clients according to the deployment guide. ... I configured the client to use the WSUS server through https. ... Schemes used: ... I've read on serveral sites that the server certificate has to be imported ...
    (Focus-Microsoft)
  • Re: Client Certificates Issue
    ... "Active Directory User Objects" where the certificate is available, ... the Store Name for that store or, how can I access it using C#.Net code? ... not on your server. ... of the private key for the certificate they provided to the server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: IIS 6.0 SSL Certificate Difficulties
    ... that is just a plain text file with encrypted detail of your server detail. ... do you export the private key as well? ... > certificate from the IIS Snap-in it says that "You have a private key that ... > Another symptom is that when we create the request on the 2003 server, ...
    (microsoft.public.inetserver.iis)