Re: Does anyone back up Certificates?

lelteto wrote on 10/07/2007 17:54:
I assume that the USB token contains the private key - and (unless the token physically damaged) you don't and can't back up the private key.

why are you assuming that ?

On the other hand I am certain that you can back up the certificate. The

or extract it from any signature generated with the associated key.
I can't figure out how it is possible to loose a cert - only the backup of the private key could be an issue.

question is if the token is CAPI or Cryptoki. If it's CAPI, I am almost certain that the certificate is installed into one of the normal Windows certificate stores.

in the CA provided application does not allow the selection of the CSP (and thus device) responsible of the key/cert, it's just a silly appl.

Find the cert from GeoTrust (which probably says something about code signing) and click on Export. Leave the "do not export the private key"

the PO said "key is not exportable" (marked as not exportable) ...

If your token is Cryptoki (aka. PKCS#11), you would need to find out where the certificate is stored (maybe in a file in their application's directory?) Or just ask them, explaining that you just want to back up the CERTIFICATE.

do you it this way ??

what about:

CK_ATTRIBUTE_TYPE type = CKO_CERTIFICATE;
CK_ATTRIBUTE attrType = { CK_OBJECT_CLASS, &type, 4);
C_FindObjectsInit(session, &attrType, 1);
CK_OBJECT_HANDLE cert;
C_FindObjects(session, &cert, 1, &count);
CK_ATTRIBUTE derCert = { CKA_VALUE, buffer, size);
C_GetAttributeValue(session, cert, &derCert, 1);

well, according PO the cert is in a MS cert-store anyway.

Sylvain.
.

Relevant Pages

  • Re: How to exchange certificate ?
    ... certificate store (I own ONLY a public key). ... >contained in a certificate store AND having an associated private key. ... you can test any cert for an associated private key using: ...
    (microsoft.public.platformsdk.security)
  • Re: A question about CryptAcquireCertificatePrivateKey
    ... Windows stores the CSP and private key associated with the certificate in the ... This is, of course, true only when WINDOWS stores the cert. ...
    (microsoft.public.platformsdk.security)
  • Re: IAS System Rights / IAS + Win2003 SP1
    ... and imported into IIS ADMIN. ... get cert from Verisign ... > these steps dont seem to attach the private key, ... > the private key for the certificate does not exist in the certificate ...
    (microsoft.public.internet.radius)
  • Re: How does WSE2 search for private key given X509 certificate?
    ... After I deleted the x509 certificate with private key from the cert store, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: SSL errors
    ... > Following the articles suggestions I bound a certificate ... > to the SMTP installation on this server from a MS CA we ... > private key information property attached to it. ... > the CA installed cert did not have that property page ...
    (microsoft.public.inetserver.iis.security)