Re: Backup "pending request"?
From: Mark (mark_at_ReMoVeThIsBiTmossywell.com)
Date: Thu, 25 Sep 2003 23:34:42 +0100
"Bernard" <firstname.lastname@example.org> wrote in message
> 1) I don't think you can backup 'pending request'
> what you read is valid, you can import it in cert mmc
> and assign in IIS MMC.
> 2) I think you meant 'exportable private keys', PK is
> available on your Certsvr. Now, I believe you had
> read all the import/export kb, so do a test again.
> a) remove all cert in your cert store (local computer)
> b) apply a new one, via normal IIS MMC - pending request
> c) download the cert. and process the pending
> d) test - your https
> e) go to cert mmc - export to pfx - expor the privatekey.
> f) open IIS MMC, remote the cert, do the same
> in cert mmc.
> g) reopen cert mmc. import the pfx..... then go to
> IIS MMC assign it.
> h) retest your https
Yes, you're right: I did mean exportable private key. (Too much late-night
posting!) I don't think I asked the question very well because what you
describe works perfectly well. What I was saying was that, ignoring IIS, if
you import a cert fresh from a CA into the cert store, you can't then export
the private key. In hindsight, this should have been obvious to me because
the request and response from the CA only contain the public key, not the
private key. I hadn't quite appreciated that the generation of a request in
itself creates the key pair. (The reason it wasn't obvious to me was because
it wasn't showing up in the key store for about a minute and I was too
impatient to wait so I assumed it wasn't there!) Now that I know how to back
up a private key _before_ I've even submitted the request to the CA, I
should be able to "recombine" (?) the private and public keys once the
public key comes back from the CA. I see that IIS MMC does this for me.
However, if I'm doing this on another server (e.g. after a server disaster),
even though I can import the private key and the public key, I've no idea
how to get them to be usable by IIS? (As I mentioned, IIS will allow the use
of a public key on its own, but without a matching private key, the SSL
Hope this makes sense!
> now, you shouldn't face any problem from these
> steps, if yes, tell us the error msg and what you
> have done.
> Bernard Cheah
> Please respond to newsgroups only ...
> "Mark" <mark@ReMoVeThIsBiTmossywell.com> wrote in message
> > Apologies for the long posting. :-)
> > I'm about to apply for a certificate for an IIS server. Whilst the CA is
> > cranking out the certificate, I'm having a play with a test certificate
> > using the _same_ web site by creating my own CA on MS Cert Authority. I
> > notice that in IIS I can only have one pending request at any time per
> > in IIS. As a test, I've tried deleting a pending request, creating a new
> > and importing the certificate from the _original_ pending request. IIS
> > doesn't like this and correctly tells me that the cert that I'm trying
> > import doesn't match the request.
> > So, question 1: how to backup a pending request, so that I can restore
> > original request and import the certificate from the original request
> > I've finished playing witrh test certificates?
> > I've read that this shouldn't actually be a problem because I'll get a
> > certificate and exportable public key. Apparently, I can import this
> > the certficate MMC snap-in and, if I wish, export it from there again.
> > imported, I can then assign the cert to IIS without having to worry
> > creating certificate requests. Superficially this would appear to answer
> > first question. But... when I tried this as a test using the MS CA, I
> > into a problem: It would appear that although the certificates created
> > test CA can be imported into the Certficates MMC, and indeed can be
> > configured in IIS, they don't actally work! When pointing IE to HTTPS, I
> > a schannel event log error saying "The SSL server credential's
> > does not have a private key information property attached to it". I
> > this by trying to re-export the certificate to a PKF and the PKF option
> > greyed out. Ah ha, thinks I! The certificate produced by the MS CA
> > doen't have a public key or is not exportable (both sound a bit odd to
> > So question 2: how do I ensure that certs produced by my test CA have
> > exportable public keys? (In the whole certificate production chain,
> > doesn't seem to be a single option to ensure exportability, but all the
> > documentation on the web says "make sure the certificate is
> > Many thanks
> > Mark