Re: Backup "pending request"?
From: Bernard (qbernard_at_hotmail.com)
Date: Sat, 27 Sep 2003 13:03:12 +0800
Now - when you get the cert from CA.
it DOES contains both private and public key.
you have 2 - not 1.
so the same concept apply, if you have export
the cert 'correctly', it will contains 2 keys. and
you can use it and deploy at other server.
if for some reason you lost it, you can always
ask the CA to reissue one with charges of coz.
if you have the private keys, double click on
the cert, you will see a little note at the bottom
of the window - 'you have the associate private
keys.... bla bla'
-- Regards, Bernard Cheah http://support.microsoft.com/ Please respond to newsgroups only ... "Mark" <mark@ReMoVeThIsBiTmossywell.com> wrote in message news:email@example.com... > > "Bernard" <firstname.lastname@example.org> wrote in message > news:ODz3P5ygDHA.2408@TK2MSFTNGP09.phx.gbl... > > 1) I don't think you can backup 'pending request' > > what you read is valid, you can import it in cert mmc > > and assign in IIS MMC. > > > > 2) I think you meant 'exportable private keys', PK is > > available on your Certsvr. Now, I believe you had > > read all the import/export kb, so do a test again. > > > > a) remove all cert in your cert store (local computer) > > b) apply a new one, via normal IIS MMC - pending request > > c) download the cert. and process the pending > > d) test - your https > > e) go to cert mmc - export to pfx - expor the privatekey. > > f) open IIS MMC, remote the cert, do the same > > in cert mmc. > > g) reopen cert mmc. import the pfx..... then go to > > IIS MMC assign it. > > h) retest your https > > Yes, you're right: I did mean exportable private key. (Too much late-night > posting!) I don't think I asked the question very well because what you > describe works perfectly well. What I was saying was that, ignoring IIS, if > you import a cert fresh from a CA into the cert store, you can't then export > the private key. In hindsight, this should have been obvious to me because > the request and response from the CA only contain the public key, not the > private key. I hadn't quite appreciated that the generation of a request in > itself creates the key pair. (The reason it wasn't obvious to me was because > it wasn't showing up in the key store for about a minute and I was too > impatient to wait so I assumed it wasn't there!) Now that I know how to back > up a private key _before_ I've even submitted the request to the CA, I > should be able to "recombine" (?) the private and public keys once the > public key comes back from the CA. I see that IIS MMC does this for me. > However, if I'm doing this on another server (e.g. after a server disaster), > even though I can import the private key and the public key, I've no idea > how to get them to be usable by IIS? (As I mentioned, IIS will allow the use > of a public key on its own, but without a matching private key, the SSL > session fails.) > > Hope this makes sense! > > Cheers > Mark > > > > > > > now, you shouldn't face any problem from these > > steps, if yes, tell us the error msg and what you > > have done. > > > > > > -- > > Regards, > > Bernard Cheah > > http://support.microsoft.com/ > > Please respond to newsgroups only ... > > > > > > > > "Mark" <mark@ReMoVeThIsBiTmossywell.com> wrote in message > > news:email@example.com... > > > Apologies for the long posting. :-) > > > > > > I'm about to apply for a certificate for an IIS server. Whilst the CA is > > > cranking out the certificate, I'm having a play with a test certificate > > > using the _same_ web site by creating my own CA on MS Cert Authority. I > > > notice that in IIS I can only have one pending request at any time per > > site > > > in IIS. As a test, I've tried deleting a pending request, creating a new > > one > > > and importing the certificate from the _original_ pending request. IIS > > > doesn't like this and correctly tells me that the cert that I'm trying > to > > > import doesn't match the request. > > > > > > So, question 1: how to backup a pending request, so that I can restore > the > > > original request and import the certificate from the original request > when > > > I've finished playing witrh test certificates? > > > > > > I've read that this shouldn't actually be a problem because I'll get a > > > certificate and exportable public key. Apparently, I can import this > using > > > the certficate MMC snap-in and, if I wish, export it from there again. > > Once > > > imported, I can then assign the cert to IIS without having to worry > about > > > creating certificate requests. Superficially this would appear to answer > > my > > > first question. But... when I tried this as a test using the MS CA, I > ran > > > into a problem: It would appear that although the certificates created > by > > my > > > test CA can be imported into the Certficates MMC, and indeed can be > > > configured in IIS, they don't actally work! When pointing IE to HTTPS, I > > get > > > a schannel event log error saying "The SSL server credential's > certificate > > > does not have a private key information property attached to it". I > > checked > > > this by trying to re-export the certificate to a PKF and the PKF option > is > > > greyed out. Ah ha, thinks I! The certificate produced by the MS CA > either > > > doen't have a public key or is not exportable (both sound a bit odd to > > me!). > > > > > > So question 2: how do I ensure that certs produced by my test CA have > > > exportable public keys? (In the whole certificate production chain, > there > > > doesn't seem to be a single option to ensure exportability, but all the > > > documentation on the web says "make sure the certificate is > exportable".) > > > > > > Many thanks > > > Mark > > > > > > > > > > > > > > >