Re: Does deleting a certificate cause private key deletion?

From: Ohaya (ohaya_at_cox.net)
Date: 10/28/03


Date: Tue, 28 Oct 2003 08:53:14 -0500

David,

Thanks.

In any event, I went through a new certificate request cycle, and got a
new cert from our CA, and it's working now.

BTW, have you, or anyone else from MS who monitors these security NGs
taken a look at the thread that I've posted re. a possible bug with the
way that either IIS or CryptoAPI handles "Trusted" CAs? No one is
responding to that, and so I've sent email to secure@microsoft.com (not
sure if that is still working), and posted to the Security webpage on
MS.

"David Cross [MS]" wrote:
>
> I don't that is what happened. but if you delete the cert and re-import
> agai, it *may* get re-asscoiated with the original private key which was not
> deleted.
>
> --
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> http://support.microsoft.com
>
> "Ohaya" <ohaya@cox.net.NO_SPAM> wrote in message
> news:uU93WNBnDHA.3612@TK2MSFTNGP11.phx.gbl...
> > Michael and David,
> >
> > I think that I may've figured out what I did. If you could confirm this,
> > I'd appreciate it!
> >
> > Basically, I think that in the process of my testing, I went ahead and
> used
> > IIS to create a new certificate request. I think that in doing this, it
> > deleted the private key for the certificate that I'd gotten from my CA
> > (which was also the result of an earlier IIS certificate request).
> >
> > Does this make sense?
> >
> >
> >
> >
> >
> > "Michel Gallant" <neutron@nspxistar.ca> wrote in message
> > news:%23h%23ItY%23mDHA.2140@TK2MSFTNGP09.phx.gbl...
> > > The Certificates panels "Export" dialog has a checkbox:
> > > "Delete the private key if the export is successful"
> > > which is *unchecked* by default (so private key container persists).
> > >
> > > If you didn't check that box, you can use this web tool (requires
> CAPICOM)
> > > to remove the unwanted key container (listed at bottom of page):
> > > http://pages.istar.ca/~neutron/KeyContainerTool
> > > The way this utility works is that any keycontainers (which contain
> > protected
> > > asymmetric keypairs) NOT currently associated with a certificate are
> > listed
> > > at end of display. So, if you look at the display, then delete a cert
> > *without* deleting
> > > the private key, and look at the display again, you will see a new
> > keycontainer listed
> > > at the bottom. That is the one you want to delete using the supplied
> > text-field.
> > >
> > > - Michel Gallant
> > > Visual Security MVP
> > >
> > > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > > news:uwTe%23F%23mDHA.2200@TK2MSFTNGP12.phx.gbl...
> > > > No, deleting the cert does not delete the provate key. to delete the
> > > > provate key, you have to export the key and delete or manually delete
> > the
> > > > actual key file from the file system.
> > > >
> > > > --
> > > >
> > > >
> > > > David B. Cross [MS]
> > > >
> > > > --
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > >
> > > > http://support.microsoft.com
> > > >
> > > > "Ohaya" <ohaya@cox.net.NO_SPAM> wrote in message
> > > > news:3F998E55.93875B77@cox.net.NO_SPAM...
> > > > > Hi,
> > > > >
> > > > > I'm cross-posting this because I am not sure which group this
> belongs
> > > > > in. My apologies.
> > > > >
> > > > > This is a relatively quick question:
> > > > >
> > > > > If I have a certificate installed on a system (Local Computer,
> > Personal)
> > > > > where there's initially a corresponding private key on the machine,
> > and
> > > > > I delete the certificate using the MMC-Certificates snap-in, does
> the
> > > > > private key also get deleted from the machine?
> > > > >
> > > > >
> > > > > More detail:
> > > > >
> > > > > 1) I used IIS to request a server certificate
> > > > > 2) When I got the certificate (as a .CER file), I used IIS Server
> > > > > Certificate wizard to install the certificate from the .CER file.
> > > > > 3) If I use MMC Certificates snap-in to look at the certificate it
> > shows
> > > > > "You have the private key".
> > > > > 4) Using MMC Certificates snap-in, I delete the server certificate.
> > > > > 5) Then, using MMC Certificate snap-in, I import the original .CER
> > file
> > > > > into Local Computer, Personal store again.
> > > > >
> > > > > Now, if I use MMC Certificate snap-in to look at the certificate in
> > > > > Local Computer, Personal, the area where it said "You have the
> private
> > > > > key" is BLANK (i.e., it thinks that the private key is not there).
> > > > >
> > > > >
> > > > > The reason that I'm asking this is that I was doing some testing of
> > > > > something else, and all of a sudden, the private key was missing. I
> > > > > don't know exactly what I was doing (you know how it is when you're
> > > > > testing), but I found that the above steps seem to reproduce the
> > > > > condition of making the private key disappear.
> > > > >
> > > > > I'm trying to understand this so that I can avoid this in the
> future,
> > so
> > > > > I hope that someone out there knows????
> > > > >
> > > > >
> > > > > Thanks in advance!!
> > > > >
> > > > > Jim
> > > >
> > > >
> > >
> > >
> >
> >