Re: install a renewed certificate in "My" store
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 05/12/05
- Next message: David Cross [MS]: "Re: Suspend Certificate with MS CA2003"
- Previous message: Yan-Hong Huang[MSFT]: "RE: Windows 2000 encrypted data can not be decrypted in Windows XP"
- In reply to: Sebastian Rieger: "install a renewed certificate in "My" store"
- Next in thread: Sebastian Rieger: "Re: install a renewed certificate in "My" store"
- Reply: Sebastian Rieger: "Re: install a renewed certificate in "My" store"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 12 May 2005 05:41:41 -0700
How are they performing the installation? If they are not using the web
enrollment pages on the CA, the MMC will not know to perform the association
between the cert that is installed and the key pair originally generated.
An alternate to using OpenSSL is to use certutil.exe -repairstore or to use
certreq.exe to install the cert on the machine if you cannot use the web
enrollment pages. this whitepaper should provide some help:
Windows Server 2003 advanced certificate enrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. Top Whitepapers: Auto-enrollment whitepaper: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx Best Practices for implementing Windows Server 2003 PKI: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx Troubleshooting Certificate Status and Revocation whitepaper: http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx Windows Server 2003 web enrollment and troubleshooting guide: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx "Sebastian Rieger" <sebastian.rieger@gwdg.de> wrote in message news:uU8UXrkVFHA.2540@tk2msftngp13.phx.gbl... > Hi! > > I'm looking for a possibility for our users to install renewed > certificates. They submit their signed CSRs to our CA (Windows 2003 > Enterprise) and finally get a renewed certificate. If they install it on > their clients they'll only see it in the "Other People" tab, stating that > they don't have a corresponding private key. "certutil -store -user My" > states the same. Even installing the new certificate via MMC leads to a > new certificate being stored in my store, but doesn't show me, that I've > got a corresponding private key... > I thought Windows would link the key pair via the thumbprint of the public > key or a key container id - the public key is the same, as the old CSR was > simply "resigned" - can I import a certificate and link it to an old key > container? > Using openssl I can inject the new certificate in a PKCS12 containing the > "old" private key and Windows imports the new cert fine. But I can't tell > our users to use openssl everytime they renew their certs... > Is there an easy way? We don't use auto enrollment (and can't do so, > because of our root ca policy...) > > Thanks in advance, > > Sebastian Rieger
- Next message: David Cross [MS]: "Re: Suspend Certificate with MS CA2003"
- Previous message: Yan-Hong Huang[MSFT]: "RE: Windows 2000 encrypted data can not be decrypted in Windows XP"
- In reply to: Sebastian Rieger: "install a renewed certificate in "My" store"
- Next in thread: Sebastian Rieger: "Re: install a renewed certificate in "My" store"
- Reply: Sebastian Rieger: "Re: install a renewed certificate in "My" store"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
