Re: Client Certificates
From: Michel Gallant (neutron_at_NOSPAMistar.ca)
Date: 01/25/04
- Next message: Blondie: "Re: SpywareBlaster"
- Previous message: Brian Komar : "Re: Security Alert"
- In reply to: RG: "Client Certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 25 Jan 2004 10:10:13 -0500
I hope you are talking about exporting the pfx file on the CLIENT machine
and not exporting the pfx file for the issuing CA cert itself!
The way PKI certificate generation usually works is the following:
- client machine securely generates a public/private keypair (usually RSA), and
wraps the public key and some certificate information (validity period, serial #,
name of client etc..) into a certificate request, sent to the CA Certificate Services
services. (note that W2k3 also now supports private key archival on the CA too!)
- CA signs that information (i.e. encrypts the hash of that info with its own private key)
and sends the signed blob back to client
- client reimports the new signed certificate blob into its own certificate store (usually
the "Personal" (called the MY store in CryptoAPI)
The private key is NOT stored with the certificate, but, on Windows, is stored in some
"key container" ... which could be a protected file, in the registry, on a smart card .. and
this location is OS dependent.
Every client generates its own UNIQUE public/private keypair; that public key and info
must be submitted as a certificate-signing request (PKCS#10 format) to the Cert services
for CA validation approval and signing.
Clients *can* export their cert + private key into a protected pfx file for backup, for secure
porting to another machine. However, generation and distribution of keys/certificate is not
dependent on using pfx files (unless you have a very off infrastructure).
In most CA infrastructures, the CA never has access to the private key generated by the
client (however, see key archival in W2k3 ...) and never distributes pfx files to clients.
- Mitch Gallant
MVP Security
http://pages.istar.ca/~neutron
"RG" <nobody@nowhere.com> wrote in message news:uvvtYE14DHA.2612@tk2msftngp13.phx.gbl...
> Pardon my ignorance in the area of Certifiate Services. In the questions I
> may have made incorrect statements. I would greately appreciate if you
> could correct me.
>
> I am generating client certificates using win2k3 Certificate Services.
> After creating the certificate, I export it using public/private key pair
> into .pfx. file. I then import it to client machine personal store. In the
> personal node there are now 2 certificates. I am assuming it is a public
> client certificate and public CA certificate.
>
> Where does the private key get stored?
>
> If it is stored in some hidden place, how can I check what private keys have
> been imported to date? How can I delete them?
>
> Is the private key the same for all certificate for that CA? or is there
> different private key for each certificate for that CA?
>
> Thanks in advance
>
>
- Next message: Blondie: "Re: SpywareBlaster"
- Previous message: Brian Komar : "Re: Security Alert"
- In reply to: RG: "Client Certificates"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
