I am trying to generate a certificate from a CSR created in Cisco's ACS 5.1. I can past the key blob into the MS CA web interface to request the certificate but the resultant certificate does not give me the ability to export the private key, which is required by ACS. I have the correct permissions on the template and I have allowed for the private key to be exported. Any assistance is appreciated.

Did you create a duplicate or copy of the certificate template before making the changes? Some version 1 templates do not allow exporting of pvt keys.

Hi, A private key is exportable only when it is specified in the certificate request or certificate template that was used to create the certificate. For more information: Administering Certificate Templates http://technet.microsoft.com/en-us/library/cc725621(WS.10).aspxThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

In the Windows world, whether or not a key is exportable is determined by a value set on the key container when the key is first generated or imported. The private key is generated when the request is created, and on the host on which the request was created. If the request was generated on the ACS then the private key should also exist there. Further, if you are running ACS on an appliance then the Windows concept of "exportability" does not apply since the key will be stored in some way specific to ACS rather than the "Windows way". On the other hand, if you are running ACS on a Windows box then within ACS you have the ability to access certificates via MS CAPI. If the request is generated in the same fashion -- using CAPI -- then the setting to mark the private key exportable must also be exposed within ACS, as that flag must be set when the request, and therefore the private key, is generated. My point is that, if you've already created the request, then the setting in the template specifying key exportability is irrelevant. The CA has no control over whether or not a private key is exportable, nor do the certificates it issues. Version 2 certificate templates have that option in order to inform clients how the private key should be flagged when the request is first created based on the particular template. Functionally, it is just a suggestion, as no client is required to adhere to that setting. It is simply by design that Windows clients, specifically the Certificates MMC snap-in, do. You have to determine at what point the request is being created (because that's when the private key is being generated) and by which process. If that process is ACS then you should check with Cisco to find out how the private key can be marked as exportable. Another option might be to use certreq.exe to generate the certificate request, and then, once the certificate has been issued and installed, configure ACS to use that existing certificate. Certreq.exe generates a request based upon settings defined in an .INF file, and one of the settings in that .INF instructs Windows to set the exportability flag on the certificate. Here's a link to the syntax for certreq.exe. Hope this helps, Jonathan StephensJonathan Stephens