Re: no option to export Certificate private key

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/31/04 

Date: Tue, 31 Aug 2004 04:45:27 GMT

You would not want to export the certificates/private keys anyhow - they are issued
to computer names as shown on the certificate. You can control what computer get
certificates by enabling auto enroll at the OU level where you put the computers you
want to receive a machine certificate, even temporarily and you can also control what
computers receive certificates by configuring security on the certificate template in
AD Sites and Services where you have to select view/show services node first. Then
for example go to the machine template and view properties/security where you will
see that domain computers have the enroll permission.You could add domain computers
to a global group that you want to receive that certificate and replace domain
computers with your global group for enroll permissions. -- Steve

"seeker01" <seeker01@discussions.microsoft.com> wrote in message
news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
> Hi,
>
> I am new learning how to setup MS Certificate for Cisco VPN client. The MS
> Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain. Cisco
> VPN client is authenticated agains Cisco Radius Server which looks up the
> external database from NT 4 domain.
>
> VPN clients are able to request for a new certiicate from MS Certificate
> server & logon successfully. BUT, what disappoints me is the generated
> certificate from user's machine is not transferrable to another PC. My
> preference is to prevent users to create their own certificate. I wish all
> certificates to be created & controlled by the administrator. I can export
> the certificate but I am unable to export the user's private key. I guess
> that's the reason why the certificate is not transferrable between machines.
> Am I right? But what's wrong with my configuration - why the option of
> exporting the private key is not enabled?
>
> Thanks heaps to whoever that can guide me from here.
>
> Cheerrs.
> Seekr01
>
>

Relevant Pages

  • Re: checkbox "Always trust macros from this source" shaded out
    ... If it's only one or two computers that you 'control', ... you might be able to get away with exporting the signature from your machine ... Use Control Panel> Internet Options> Content ... certificate from someone like Thawte or Verisign ...
    (microsoft.public.excel.programming)
  • Re: SCCM Client Certificate question..
    ... but they will need to access the Certificate Server. ... If you read my question and business requirements you will see that mixed mode is not for me. ... "The computers that are all over the country are not member of any domain. ...
    (microsoft.public.sms.admin)
  • Re: SCCM Client Certificate question..
    ... The cleint will check the certs with the server so it should be ok. ... Also don't i need to import the SCCM Server's Web server certificate to clients? ... If you read my question and business requirements you will see that mixed mode is not for me. ... "The computers that are all over the country are not member of any domain. ...
    (microsoft.public.sms.admin)
  • Re: Tests show that I dont understand how it works.
    ... > before, with stand alone computers, and was not able to make it work. ... > the Recovery Certificate does not include the private key. ... EFS is not Microsoft's finest moment. ... As you have found out making sure you can always decrypt it can ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Enabling a Certificate template
    ... domain would require both the laptops certificate and the users domain login ... For the certification service to work in this way requires Server ... > You can mitigate that by removing authenticated users from the add ... Permissions for autoenrollment can also be given to computers. ...
    (microsoft.public.security)