Re: Removing certificates on MS Windows.

On Mon, 10 Apr 2006, Mitch Gallant wrote:

"Juan Segarra Montesinos" <sa085144@xxxxxxxxxxxxx> wrote in message
news:Pine.LNX.4.63.0604101024080.25469@xxxxxxxxxxxxxx
On Sun, 9 Apr 2006, Mitch Gallant wrote:
.. snip

You cannot use the "Export private key" option in the "Export Certificate" button unless the associated private key is
marked as exportable which is not the default behaviour when you import a pkcs#12.

<MIG> Correct ... I forgot to mention that.


Moreover, exporting the certificate leaves it in the MY store... and in the MY store without private key associated...
you have to be carefull

<MIG> This is only true if you have chosen to remove the private key when
you export (if possible). Simply exporting does not affect the certificate or linked key.

On the other hand, all the people i've talked to (people without technical skills) that use certificates (to access
spanish administration web's, for instance) think that deleting the certificates deletes it's private key...

<MIG> Yes. Default behaviour should have been to remove linked private key also.

cleancapi deletes containers without certificate associated (this can cause problems with software that just uses
containers) and MY store's certificate without associated private key.

<MIG> This is dangerous! Some useful applications generate raw
RSA keypairs, so you should definitely NOT blanket nuke them all :-)
Only delete "orphaned" keypairs IF you really understand what you are doing.



Yes, we wrote that in the README file :-)

Please, could you mention some of this applications... it'll be nice to mention them somewhere in the utility...



I had a tool "keypal.exe" as well as a web-application which did this also.
The keypal.exe tool also allows you export ANY rsa keypair (assumed exportable)
in a keycontainer (without associated certificadte) by creating, at export time,
a dummy unsigned linked certificate.

- Mitch Gallant
MVP Security



Thanks for your time Mitch :-)

Juan.

.

Quantcast