RE: private key problem
From: Walter Poupore [MS] (waltpo_at_online.microsoft.com)
Date: Fri, 14 Jan 2005 10:07:05 -0800
Your issued certificate contains your public key, which is generated as part
of a public/private key pair. The public/private key pair is created (in your
case via createPKCS10) before you submit the request to the CA. In the
certificate request, your public key and other information are signed by your
private key. The CA doesn't know the value of the requestor's private key,
but by issuing the certificate the CA is stating that the requestor has
knowledge of the private key and that the public key included in the
certificate corresponds to the public key portion of the public/private key
For background information, see
http://msdn.microsoft.com/library/en-us/seccrypto/security/certificates_and_public_keys.asp and ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-10/pkcs-10v1_7.doc.
By design you can see the public key in the MMC Certificates snap-in user
interface. Since the private key is not in the certificate (again by design),
the private key is not viewable in the MMC Certificates snap-in. However, the
MMC Certificates snap-in recognizes whether you have the corresponding
private key for a certificate.
Are you saying that when you view the certificate through the MMC
Certificates snap-in, there isn't a message stating that "You have a private
key that corresponds to this certificate"?
-- Walter Poupore [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. "miva" wrote: > Hello All! > > What properties should I set in ICertEnroll to make CA issue certificate > with private key? > There is sample C# code below. I'm using "User" certificate template, but > resultant certificate contains no private key. > Thank you! > > CEnrollClass certEnroll = new CEnrollClass(); > CCertRequestClass certRequest = new CCertRequestClass(); > CCertConfigClass certConfig = new CCertConfigClass(); > > certEnroll.KeySpec = 1; /*AT_KEYEXCHANGE*/ > certEnroll.addCertTypeToRequest("User"); //certificate template name > certEnroll.ProviderName="Microsoft Enhanced Cryptographic Provider v1.0"; > > string pkcs10 = certEnroll.createPKCS10("",""); > string config = certConfig.GetConfig(0); > int result = certRequest.Submit(0x1 | 0x100 /*CR_IN_BASE64|CR_IN_PKCS10*/, > pkcs10, "", config); > > if (result == 0x3 /*CR_DISP_ISSUED*/ ) > string base64cert = certRequest.GetCertificate(CR_OUT_BASE64); > > //... > > MW > > >