Re: Private & Public Key storage location
- From: Vicky <Vicky@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 1 Jun 2006 08:04:02 -0700
Thanks Bernard For being there & sharing your experience & Knowledge.
There's something thats going in my mind, & wanted to explore & Experiment
more on it. So I wished I knew the file system path to the public & private
keys.
Vicky
"Bernard Cheah [MVP]" wrote:
I should have been more specific, the 'certificate' is not consider a.
certificate until is signed and INSTALLED at the machine generating the CSR,
with that you complete the 'certificate' to have both public and private key
in your certificate store.
You are referring to the signed 'electronic doc' while I'm focusing on the
'completed' certificate. To view the complete cert, you access the cert mmc,
and you will see the 'You have the private key that corresponds to this
certiticate', else this is just a pubic cert that the public key can be
obtain via CA.
I'm not aware of the actual system or file path of the certificate. It is
typically acces via certificate store using the certificate snap-in in MMC,
and you do your import and export in this interface rather than find the
'content' and back it up.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
"Vicky" <Vicky@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:06A64629-3724-4951-95C1-D160327ADF23@xxxxxxxxxxxxxxxx
Its difficult for me to digest as to what you say
"b) CA will need to sign it and the generate it. and they have to be
trusted.
Keyword is 'trusted'. When you got the server cert file, it containts both
public and private keys. You will see 'You have the private key that
corresponds to this certiticate' when you view the cert."
well my understanding is that,
when the website makes a request for cert, it first generates a key pair
at
its end & send only the public key to the CA along with the other websites
details in the request. The CA never know the private key of the website.
Well then the CA creates a electronic doc, we call as the webserver cert
in
which it embedds the websites Public key & signs the cert with its own
digital signature.
The cert does not have the private key of the website. It is never
disclosed
to anyone except the website itself.
After the cert is installed on the website & SSL enabled, Next when the
client connects to the website, the server cert is sent to the client for
verification. The client first verfies the digital signature of the CA in
the
cert with the local Browser cert database. After the verification the
client
generates a session key that it encrypts using the public key of the
website
& the encrypted session key is sent to the website.
At the website end, upon receiving the encrypted session key, the website
uses its private key to decrypt it & now both the client & server have
something in common & that is the session key. The actual data tran/recp
uses
the session key for encryption/decryption at both the ends.
The session key is discarded by both the client & server upon termination
of
the session.
When you view the cert it does say that 'You have the private key that
corresponds to this certiticate' but it is not in the cert nor is it sent
to
the webserver by the CA. The private key was generated by the website & is
stored on the local machine, never disclosed & sent anywhere, unless we
choose to export, in order to save it.
I just wanted to know the file system path where I can find the
Private/public key stored in IIS windows 2003 server.
"Bernard Cheah [MVP]" wrote:
Alright -
a) when client connect to the SSL site, this is what's going on. Keys are
NOT sent, it just uses to encrypt and decrypt. client use the public key
to
encrypt and server uses its private keys to decode.
Description of the Secure Sockets Layer (SSL) Handshake
http://support.microsoft.com/?id=257591
b) CA will need to sign it and the generate it. and they have to be
trusted.
Keyword is 'trusted'. When you got the server cert file, it containts
both
public and private keys. You will see 'You have the private key that
corresponds to this certiticate' when you view the cert.
c) Yes, and if that's the server cert issued from CA for your host server
authentication, it will has the private key as well. not to forgot some
other detail like the key usage (server or client auth), version, etc.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
"Vicky" <Vicky@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:10DCF32E-7956-4260-937A-255FA1E97B2E@xxxxxxxxxxxxxxxx
Dear Bernard,
As you say " To me, the issued cert from a trusted CA, contains both
public/private keys."
I would like to ask the following.
A] If the cert from a CA contains both public/private key & the cert is
then
installed for your website, it will be sent to all the clients who
connect
to
that website. This way, the private key of the website is revealed to
the
client & the purpose of achieving transaction level security is
defeated.
B] If the CA is going to generate/derive/create a private key for my
web
site, then what is private about the private key? I think the private
key
for
my website is & should only be know to my website & not to anyone else,
not
even the CA.
C] I believe that a website cert contains the following important
components
embedded (Correct me if I am wrong)
1] Issued to 2] issued by 3] validity 4] purpose 5] digital signature
of
CA
6] public key of the website
Regards
Vicky
"Bernard Cheah [MVP]" wrote:
Well, I guessed it all depends on the discussion context.
Typically - CSR is encoded ASCII text with requested identification of
the
computer, you can 'said' that public key is there, yes it is there,
you
can
also 'said' private key is also there, coz it will 'derive' or
'generate'
from it by the CA.
In normal context, typically CSR don't associate with public or
private
keys, because you can't really use it yet.
It will become 'valid' once the CA has signed and generate the real
certificate, then the concept of public/private key popup.
I hope I didn't confuse you, I mean you can't really don't anything
with
the
so called 'keys' with the CSR.
Keys is only valid when the cert is issued. now -
A] if the website generates a Keypair of its own before it creates
the
CSR
that's part of the CSR process, to the point here the key is
useless
until the cert is installed
B] How can the CSR be encrypted by Public/private key both at the
same
time?
it is not encrypted, just encode.
C] Is it that the CSR contains both the private & public keys of the
website?
again depend on how you actually see it. To me, the issued cert
from a
trusted CA, contains both public/private keys.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
"Vicky" <Vicky@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B3052C4A-3501-4B71-8FE5-515089606B2C@xxxxxxxxxxxxxxxx
Dear Bernard,
I have read all that stuff at the links you are refering to.
The pages on MS wesite lack clarity & I have wrote a comment to them
such
as
1] Under the section
"Obtain a Certificate"
"......The CSR is simply an encrypted text message that is encrypted
with
a
public/private key pair."
Now could it be made clear
A] if the website generates a Keypair of its own before it creates
the
CSR
B] How can the CSR be encrypted by Public/private key both at the
same
time?
C] Is it that the CSR contains both the private & public keys of the
website?
What is true & presice ?
"Bernard Cheah [MVP]" wrote:
Read -
How To Enable SSL for All Customers Who Interact with Your Web Site
in
Internet Information Services
http://support.microsoft.com/?id=298805
that's why typically - we have trusted CA list in browser that we
can
trust.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
"Vicky" <Vicky@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:90DB2326-7C0B-4457-91CD-2E7ABC1828FB@xxxxxxxxxxxxxxxx
I am shocked to here that it is the CA who generates the Private &
public
key
(Key Pair) for my own website.
You seem to have shattered my understanding of the whole process.
How
can
my
private ley be a private affair if the CA generates it for me (my
website).
I think I need to build more clarity of the whole process. Maybe
I
have
wrong ideas.
"Bernard Cheah [MVP]" wrote:
You only send the request file to CA. CA will then issue you the
cert
with
both private and public key.
To back it up, export the key (including private) and safe guard
the
file,
refer
HOW TO: Back Up a Server Certificate in Internet Information
Services
5.0
http://support.microsoft.com/?id=232136
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
"Vicky" <Vicky@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:322F8088-D472-487F-8F30-F1616EFCD995@xxxxxxxxxxxxxxxx
hi,
when I configure IIS server on a windows 2000 or 2003 server
to
use
the
ssl
- References:
- Re: Private & Public Key storage location
- From: Bernard Cheah [MVP]
- Re: Private & Public Key storage location
- Prev by Date: Re: Private & Public Key storage location
- Next by Date: Re: Help with password prompt
- Previous by thread: Re: Private & Public Key storage location
- Next by thread: Re: Help with password prompt
- Index(es):
Relevant Pages
|
