Re: Does deleting a certificate cause private key deletion?

From: Ohaya (ohaya_at_cox.net)
Date: 10/28/03


Date: Tue, 28 Oct 2003 08:53:14 -0500

David,

Thanks.

In any event, I went through a new certificate request cycle, and got a
new cert from our CA, and it's working now.

BTW, have you, or anyone else from MS who monitors these security NGs
taken a look at the thread that I've posted re. a possible bug with the
way that either IIS or CryptoAPI handles "Trusted" CAs? No one is
responding to that, and so I've sent email to secure@microsoft.com (not
sure if that is still working), and posted to the Security webpage on
MS.

"David Cross [MS]" wrote:
>
> I don't that is what happened. but if you delete the cert and re-import
> agai, it *may* get re-asscoiated with the original private key which was not
> deleted.
>
> --
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> http://support.microsoft.com
>
> "Ohaya" <ohaya@cox.net.NO_SPAM> wrote in message
> news:uU93WNBnDHA.3612@TK2MSFTNGP11.phx.gbl...
> > Michael and David,
> >
> > I think that I may've figured out what I did. If you could confirm this,
> > I'd appreciate it!
> >
> > Basically, I think that in the process of my testing, I went ahead and
> used
> > IIS to create a new certificate request. I think that in doing this, it
> > deleted the private key for the certificate that I'd gotten from my CA
> > (which was also the result of an earlier IIS certificate request).
> >
> > Does this make sense?
> >
> >
> >
> >
> >
> > "Michel Gallant" <neutron@nspxistar.ca> wrote in message
> > news:%23h%23ItY%23mDHA.2140@TK2MSFTNGP09.phx.gbl...
> > > The Certificates panels "Export" dialog has a checkbox:
> > > "Delete the private key if the export is successful"
> > > which is *unchecked* by default (so private key container persists).
> > >
> > > If you didn't check that box, you can use this web tool (requires
> CAPICOM)
> > > to remove the unwanted key container (listed at bottom of page):
> > > http://pages.istar.ca/~neutron/KeyContainerTool
> > > The way this utility works is that any keycontainers (which contain
> > protected
> > > asymmetric keypairs) NOT currently associated with a certificate are
> > listed
> > > at end of display. So, if you look at the display, then delete a cert
> > *without* deleting
> > > the private key, and look at the display again, you will see a new
> > keycontainer listed
> > > at the bottom. That is the one you want to delete using the supplied
> > text-field.
> > >
> > > - Michel Gallant
> > > Visual Security MVP
> > >
> > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > news:uwTe%23F%23mDHA.2200@TK2MSFTNGP12.phx.gbl...
> > > > No, deleting the cert does not delete the provate key. to delete the
> > > > provate key, you have to export the key and delete or manually delete
> > the
> > > > actual key file from the file system.
> > > >
> > > > --
> > > >
> > > >
> > > > David B. Cross [MS]
> > > >
> > > > --
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > >
> > > > http://support.microsoft.com
> > > >
> > > > "Ohaya" <ohaya@cox.net.NO_SPAM> wrote in message
> > > > news:3F998E55.93875B77@cox.net.NO_SPAM...
> > > > > Hi,
> > > > >
> > > > > I'm cross-posting this because I am not sure which group this
> belongs
> > > > > in. My apologies.
> > > > >
> > > > > This is a relatively quick question:
> > > > >
> > > > > If I have a certificate installed on a system (Local Computer,
> > Personal)
> > > > > where there's initially a corresponding private key on the machine,
> > and
> > > > > I delete the certificate using the MMC-Certificates snap-in, does
> the
> > > > > private key also get deleted from the machine?
> > > > >
> > > > >
> > > > > More detail:
> > > > >
> > > > > 1) I used IIS to request a server certificate
> > > > > 2) When I got the certificate (as a .CER file), I used IIS Server
> > > > > Certificate wizard to install the certificate from the .CER file.
> > > > > 3) If I use MMC Certificates snap-in to look at the certificate it
> > shows
> > > > > "You have the private key".
> > > > > 4) Using MMC Certificates snap-in, I delete the server certificate.
> > > > > 5) Then, using MMC Certificate snap-in, I import the original .CER
> > file
> > > > > into Local Computer, Personal store again.
> > > > >
> > > > > Now, if I use MMC Certificate snap-in to look at the certificate in
> > > > > Local Computer, Personal, the area where it said "You have the
> private
> > > > > key" is BLANK (i.e., it thinks that the private key is not there).
> > > > >
> > > > >
> > > > > The reason that I'm asking this is that I was doing some testing of
> > > > > something else, and all of a sudden, the private key was missing. I
> > > > > don't know exactly what I was doing (you know how it is when you're
> > > > > testing), but I found that the above steps seem to reproduce the
> > > > > condition of making the private key disappear.
> > > > >
> > > > > I'm trying to understand this so that I can avoid this in the
> future,
> > so
> > > > > I hope that someone out there knows????
> > > > >
> > > > >
> > > > > Thanks in advance!!
> > > > >
> > > > > Jim
> > > >
> > > >
> > >
> > >
> >
> >



Relevant Pages

  • Re: Microsoft Certificate Services
    ... .cer doesn't have a private key. ... When you generate certificate request in IIS, ...
    (microsoft.public.platformsdk.security)
  • Re: Load balanced HTTPS servers ... single or multiple server certificates ?
    ... >>certificate request and apply the single certificate that I would ... The cert would not be valid for any other FQDN, ... > you to use a cert within subdomains of particular domain, ...
    (comp.os.linux.networking)
  • Re: Cant create cert request in IIS6
    ... > - If I try to import a cert from another web site I get close but then ... > to attach it to my web server I get access denied. ... >>>> create a Certificate request for my website I get all the way though ...
    (microsoft.public.inetserver.iis.security)
  • Re: Does deleting a certificate cause private key deletion?
    ... new cert from our CA, ... way that either IIS or CryptoAPI handles "Trusted" CAs? ... >> IIS to create a new certificate request. ... >> deleted the private key for the certificate that I'd gotten from my CA ...
    (microsoft.public.win2000.security)
  • Re: Microsoft Certificate Services
    ... You can export the private key only if it's marked as "exportable". ... you don't have to use IIS for certificate request. ...
    (microsoft.public.platformsdk.security)