Re: Backup "pending request"?

From: Bernard (qbernard_at_hotmail.com)
Date: 09/27/03


Date: Sat, 27 Sep 2003 13:03:12 +0800


Now - when you get the cert from CA.
it DOES contains both private and public key.
you have 2 - not 1.

so the same concept apply, if you have export
the cert 'correctly', it will contains 2 keys. and
you can use it and deploy at other server.

if for some reason you lost it, you can always
ask the CA to reissue one with charges of coz.

if you have the private keys, double click on
the cert, you will see a little note at the bottom
of the window - 'you have the associate private
keys.... bla bla'

-- 
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...
"Mark" <mark@ReMoVeThIsBiTmossywell.com> wrote in message
news:3f736d83$0$8763$cc9e4d1f@news.dial.pipex.com...
>
> "Bernard" <qbernard@hotmail.com> wrote in message
> news:ODz3P5ygDHA.2408@TK2MSFTNGP09.phx.gbl...
> > 1) I don't think you can backup 'pending request'
> > what you read is valid, you can import it in cert mmc
> > and assign in IIS MMC.
> >
> > 2) I think you meant 'exportable private keys', PK is
> > available on your Certsvr. Now, I believe you had
> > read all the import/export kb, so do a test again.
> >
> > a) remove all cert in your cert store (local computer)
> > b) apply a new one, via normal IIS MMC -  pending request
> > c) download the cert. and  process the pending
> > d) test - your https
> > e) go to cert mmc - export to pfx - expor the privatekey.
> > f) open IIS MMC, remote the cert, do the same
> > in cert mmc.
> > g) reopen cert mmc. import the pfx..... then go to
> > IIS MMC assign it.
> > h) retest your https
>
> Yes, you're right: I did mean exportable private key. (Too much late-night
> posting!) I don't think I asked the question very well because what you
> describe works perfectly well. What I was saying was that, ignoring IIS,
if
> you import a cert fresh from a CA into the cert store, you can't then
export
> the private key. In hindsight, this should have been obvious to me because
> the request and response from the CA only contain the public key, not the
> private key. I hadn't quite appreciated that the generation of a request
in
> itself creates the key pair. (The reason it wasn't obvious to me was
because
> it wasn't showing up in the key store for about a minute and I was too
> impatient to wait so I assumed it wasn't there!) Now that I know how to
back
> up a private key _before_ I've even submitted the request to the CA, I
> should be able to "recombine" (?) the private and public keys once the
> public key comes back from the CA. I see that IIS MMC does this for me.
> However, if I'm doing this on another server (e.g. after a server
disaster),
> even though I can import the private key and the public key, I've no idea
> how to get them to be usable by IIS? (As I mentioned, IIS will allow the
use
> of a public key on its own, but without a matching private key, the SSL
> session fails.)
>
> Hope this makes sense!
>
> Cheers
> Mark
>
>
>
> >
> > now, you shouldn't face any problem from these
> > steps, if yes, tell us the error msg and what you
> > have done.
> >
> >
> > -- 
> > Regards,
> > Bernard Cheah
> > http://support.microsoft.com/
> > Please respond to newsgroups only ...
> >
> >
> >
> > "Mark" <mark@ReMoVeThIsBiTmossywell.com> wrote in message
> > news:3f720bfb$0$247$cc9e4d1f@news.dial.pipex.com...
> > > Apologies for the long posting. :-)
> > >
> > > I'm about to apply for a certificate for an IIS server. Whilst the CA
is
> > > cranking out the certificate, I'm having a play with a test
certificate
> > > using the _same_ web site by creating my own CA on MS Cert Authority.
I
> > > notice that in IIS I can only have one pending request at any time per
> > site
> > > in IIS. As a test, I've tried deleting a pending request, creating a
new
> > one
> > > and importing the certificate from the _original_ pending request. IIS
> > > doesn't like this and correctly tells me that the cert that I'm trying
> to
> > > import doesn't match the request.
> > >
> > > So, question 1: how to backup a pending request, so that I can restore
> the
> > > original request and import the certificate from the original request
> when
> > > I've finished playing witrh test certificates?
> > >
> > > I've read that this shouldn't actually be a problem because I'll get a
> > > certificate and exportable public key. Apparently, I can import this
> using
> > > the certficate MMC snap-in and, if I wish, export it from there again.
> > Once
> > > imported, I can then assign the cert to IIS without having to worry
> about
> > > creating certificate requests. Superficially this would appear to
answer
> > my
> > > first question. But... when I tried this as a test using the MS CA, I
> ran
> > > into a problem: It would appear that although the certificates created
> by
> > my
> > > test CA can be imported into the Certficates MMC, and indeed can be
> > > configured in IIS, they don't actally work! When pointing IE to HTTPS,
I
> > get
> > > a schannel event log error saying "The SSL server credential's
> certificate
> > > does not have a private key information property attached to it". I
> > checked
> > > this by trying to re-export the certificate to a PKF and the PKF
option
> is
> > > greyed out. Ah ha, thinks I! The certificate produced by the MS CA
> either
> > > doen't have a public key or is not exportable (both sound a bit odd to
> > me!).
> > >
> > > So question 2: how do I ensure that certs produced by my test CA have
> > > exportable public keys? (In the whole certificate production chain,
> there
> > > doesn't seem to be a single option to ensure exportability, but all
the
> > > documentation on the web says "make sure the certificate is
> exportable".)
> > >
> > > Many thanks
> > > Mark
> > >
> > >
> > >
> >
> >
>
>


Relevant Pages

  • Re: Backup "pending request"?
    ... Now - when you get the cert from CA. ... it DOES contains both private and public key. ... >> and assign in IIS MMC. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Outlook Express Digital ID.
    ... Outlook Express can encrypt/decrypt and sign messages. ... I suspect it contains the private key? ... A digital ID is a certificate, not your private or public key. ... cert, someone can ask for your public key from the CA (since the cert ...
    (sci.crypt)
  • Re: Storage of Client Certificates
    ... I guess the idea of using SCT comes from how SSL works, using the cert ... > used during Key exchange to generate a private session key on both sides. ... > your cert (and the public key in that cert). ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • CERT Advisory CA-2001-19
    ... Subject: CERT Advisory CA-2001-19 ... Buffer Overflow In IIS Indexing Service DLL. ... IP addresses on port 80/TCP looking for other hosts to infect. ... Additional detailed analysis of this worm has been published by eEye ...
    (Cert)
  • Re: Backup "pending request"?
    ... I don't think you can backup 'pending request' ... and assign in IIS MMC. ... remove all cert in your cert store ...
    (microsoft.public.inetserver.iis.security)