Windows 2008 Enterprise CA. I assign a cert with a duplicate template to a server. Can I export Just the private key and nothing else if I need too?

Only exporting - not that I'm aware of, however there may be a number of ways to get just the private key. If you need more information on specifically how to do one of these ideas, let me know. 1) When creating the request using the web interface, select to created a private key file (.pvk). 2) If using a 3rd party utility like OpenSSL or KeyTool then the private key may be created as a separate file. 3) Export the certificate with the private key to a .pfx file. There are a number of utilities that can split that up so that you can just have the key. 4) Backing up the private key on the CA can be done by setting the Key Archival flag on the template for an encryption certificate. There is no good reason to back up a signing-only certificate (just issue a new one, revoke the old one if appropriate). You can retrieve the private key from the CA if you have KRA (key recovery agent) configured for your account. 5) If you are just trying to have a method to decrypt data, then either KRA or EFS DRA (data recovery agent) might be appropriate for an enterprise method of being able to retrieve encrypted data. If you are looking for a way to configure doing this via the template, then no - not that I'm aware of (beside archiving mentioned in #4). If none of these answer your question, then please describe your scenario for a more specific response.

Can you show me how to do it with all three examples of all of these three steps. Starting with number 3 since I already have a pfx file. 1) When creating the request using the web interface, select to created a private key file (.pvk). 2) If using a 3rd party utility like OpenSSL or KeyTool then the private key may be created as a separate file. 3) Export the certificate with the private key to a .pfx file. There are a number of utilities that can split that up so that you can just have the key.

I found an article on how to extract the private and public keys with openssl. But the file format is .PEM my DBA needs the private key in .PVK format. Can I convert .PEM to .PVK ? Here is the command to extract the private key openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem Here is the command to extract the public key openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem Now how or is there a way to convert my privatekey.pem to privatekey.pvk ?

This requires the released version of OpenSSL, the Windows version is here: http://www.shininglightpro.com/products/Win32OpenSSL.html Create the key file - note: delete this file when you are done as it contains the unencrypted private key: openssl pkcs12 -in FILENAME.pfx -nocerts -nodes -out FILENAME_key.pem Create the PVK file: openssl rsa -in FILENAME_key.pem -outform PVK -pvk-strong -out FILENAME.pvk Note sure if you also need an SPC file (common for code signing), but if you do: Extract the certificate file: openssl pkcs12 -in FILENAME.pfx -nokeys -out FILENAME_cert.pem Convert to SPC: openssl crl2pkcs7 -nocrl -certfile FILENAME_cert.pem -outform DER -out FILENAME.spc /// 4&5 are probably easier to answer together... There should be KRA & EFS DRA certificate templates already populated that you can duplicate to better fit your needs if desired. This is pretty sensitive stuff (whoever can do this could potentially decrypt YOUR encrypted files!) so keep the number of people with KRA & DRA access to a minimum. These should be extremely restricted to only highly trusted personnel (e.g. Enterprise Admin or trained PKI staff - not to helpdesk techs or a large admin group). If you are using a 2003 CA then you can look up instructions for using krt.exe, but assuming you're running 2008 - here's some reading: http://blogs.technet.com/b/pki/archive/2009/08/07/understanding-key-archival.aspx Read each sub-section of Managing Key Archival and Recovery: http://technet.microsoft.com/en-us/library/cc730721%28WS.10%29.aspx For EFS DRA: The configuration process should be similar to: http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx (only creating instead of replacing) http://technet.microsoft.com/en-us/library/cc512680.aspx To use EFS DRA you basically log in as the EFS DRA user (personally I recommend a dedicated account for doing this, preferably with a split password with a second person), make sure the account has at least Modify permissions of the file to decrypt (you may need to take ownership to grant rights), then just remove the encryption checkbox from the file's properties or keep the box checked and just open the file. I suggest removing the DRA certificate from each workstation after use to reduce the possibility of someone else gaining access to it somehow. A 3rd party tool that is good to have in your toolbox is AEFSDR... it can pull you out of a few sticky EFS situations.

This requires the released version of OpenSSL, the Windows version is here: http://www.shininglightpro.com/products/Win32OpenSSL.html Create the key file - note: delete this file when you are done as it contains the unencrypted private key: openssl pkcs12 -in FILENAME.pfx -nocerts -nodes -out FILENAME_key.pem Create the PVK file: openssl rsa -in FILENAME_key.pem -outform PVK -pvk-strong -out FILENAME.pvk Note sure if you also need an SPC file (common for code signing), but if you do: Extract the certificate file: openssl pkcs12 -in FILENAME.pfx -nokeys -out FILENAME_cert.pem Convert to SPC: openssl crl2pkcs7 -nocrl -certfile FILENAME_cert.pem -outform DER -out FILENAME.spc /// 4&5 are probably easier to answer together... There should be KRA & EFS DRA certificate templates already populated that you can duplicate to better fit your needs if desired. This is pretty sensitive stuff (whoever can do this could potentially decrypt YOUR encrypted files!) so keep the number of people with KRA & DRA access to a minimum. These should be extremely restricted to only highly trusted personnel (e.g. Enterprise Admin or trained PKI staff - not to helpdesk techs or a large admin group). If you are using a 2003 CA then you can look up instructions for using krt.exe, but assuming you're running 2008 - here's some reading: http://blogs.technet.com/b/pki/archive/2009/08/07/understanding-key-archival.aspx Read each sub-section of Managing Key Archival and Recovery: http://technet.microsoft.com/en-us/library/cc730721%28WS.10%29.aspx For EFS DRA: The configuration process should be similar to: http://blogs.technet.com/askds/archive/2008/01/07/replacing-an-expired-dra-certificate.aspx (only creating instead of replacing) http://technet.microsoft.com/en-us/library/cc512680.aspx To use EFS DRA you basically log in as the EFS DRA user (personally I recommend a dedicated account for doing this, preferably with a split password with a second person), make sure the account has at least Modify permissions of the file to decrypt (you may need to take ownership to grant rights), then just remove the encryption checkbox from the file's properties or keep the box checked and just open the file. I suggest removing the DRA certificate from each workstation after use to reduce the possibility of someone else gaining access to it somehow. A 3rd party tool that is good to have in your toolbox is AEFSDR... it can pull you out of a few sticky EFS situations.