RE: private key problem

From: Walter Poupore [MS] (
Date: 01/14/05

Date: Fri, 14 Jan 2005 10:07:05 -0800

Your issued certificate contains your public key, which is generated as part
of a public/private key pair. The public/private key pair is created (in your
case via createPKCS10) before you submit the request to the CA. In the
certificate request, your public key and other information are signed by your
private key. The CA doesn't know the value of the requestor's private key,
but by issuing the certificate the CA is stating that the requestor has
knowledge of the private key and that the public key included in the
certificate corresponds to the public key portion of the public/private key

For background information, see and

By design you can see the public key in the MMC Certificates snap-in user
interface. Since the private key is not in the certificate (again by design),
the private key is not viewable in the MMC Certificates snap-in. However, the
MMC Certificates snap-in recognizes whether you have the corresponding
private key for a certificate.

Are you saying that when you view the certificate through the MMC
Certificates snap-in, there isn't a message stating that "You have a private
key that corresponds to this certificate"?

Walter Poupore [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"miva" wrote:
> Hello All!
> What properties should I set in ICertEnroll to make CA issue certificate
> with private key?
> There is sample C# code below. I'm using "User" certificate template, but
> resultant certificate contains no private key.
> Thank you!
> CEnrollClass certEnroll = new CEnrollClass();
> CCertRequestClass certRequest = new CCertRequestClass();
> CCertConfigClass certConfig = new CCertConfigClass();
> certEnroll.KeySpec = 1; /*AT_KEYEXCHANGE*/
> certEnroll.addCertTypeToRequest("User"); //certificate template name
> certEnroll.ProviderName="Microsoft Enhanced Cryptographic Provider v1.0";
> string pkcs10 = certEnroll.createPKCS10("","");
> string config = certConfig.GetConfig(0);
> int result = certRequest.Submit(0x1 | 0x100 /*CR_IN_BASE64|CR_IN_PKCS10*/,
> pkcs10, "", config);
> if (result == 0x3 /*CR_DISP_ISSUED*/ )
>  string base64cert = certRequest.GetCertificate(CR_OUT_BASE64);
> //...
> MW

Relevant Pages

  • Re: Unable to use third-party cert after Exch Sp2 update on SBS200
    ... Every *server* certificate in IIS has to ... The public key is sent when a request from a browser ... The public key is used to *decrypt* data. ... The private key is used ...
  • Re: How to exchange certificate ?
    ... certificate store (I own ONLY a public key). ... >contained in a certificate store AND having an associated private key. ... you can test any cert for an associated private key using: ...
  • Re: encrypting email?
    ... an ID certificate is required and VeriSign will gladly produce one for $19.95 a year. ... Putting your public key on a public keyserver, ... And you hold onto the private key, ... encrypt their mail to you. ...
  • Re: TLS-certificates and interoperability-issues sendmail / Exchange / postfix ..
    ... > to assert that certificate validation doesn't happen, ... this trusted public key store contains public keys of that the ... signed by the CA. this digital certificate is returned to the "key ...
  • Re: What is a Certificate?
    ... what exactly is a certificate? ... > I've read that it is a private key / public key pair. ... register public keys of something called "certification authorities" ... An example is the SSL domain name digital certificate scenario. ...