Standalone CA, how to manage private keys with web enrollment.
Hi! The problem is as follows: Reason behind setup: We needed a PKI solution so we could handle s/mime e-mails with our customers and so we set up a Windows 2008 server with Standalone CA. We are not using AD with this solution and this is why we are using Standalone CA instead of Enterprise one. Everything is working fine, we can issue certificates and they enable our users to use s/mime with outlook. Problem : We were unable to find a solution in how to extract private keys from the certificates issued via the web enrollment; this is a critical issue for us as it provides us with some safety in case the users machine breaks down. Real question: So are there any ways to extract/manage private keys with the system we have set up or should we try something completely different? The need is basicly to the able to open the encrypted mails even if the user somehow manages to lose his keys. Thanks in advance, Ville
May 26th, 2009 3:54pm
Hi, Please try the following command: 1. Get list of certificates: certutil -store -user my > my.txt 2. Export a PFX file: certutil -p test -user exportPFX SERIAL NUMBER PFXNAME.PFX Note: "-p test" is the password. We can get SERIAL NUMBER from the first step. 3. Use certutil importPFX to import the key. For more information, type: certutil exportPFX -? Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2009 12:32pm
If I run that on the client side I get: Private key is NOT exportable. And even then, relying on the the users to remember to export their private keys and storing them somewhere else can be hazardous at best. What I'm really looking for is somehow export the private key from the issued certificates on the CA. Like on this picture: Those are the issued certificates I see listed under the CA. And from those certificates I would like to be able to export the private key. Or is it even possible? Another viable solution would be to somehow modify the webenrollment to mark the private keys as exportable, but I'm yet to find a guide on how to do this. -- Ville
May 29th, 2009 2:13pm
Hi, Regarding the error "Private key is NOT exportable", it may occur if "Mark keys as exportable" is not selected. For more information, please refer to the following article. Export a certificate with the private key http://technet.microsoft.com/en-us/library/cc737187(WS.10).aspx Please understand its impossible to export the private key from the Issued Certificates on CA. Private Key are only stored on clients side and CA has no access to private keys. Its suggested to submit an advanced certificate request via the web. For your reference: Submit an advanced certificate request via the Web http://technet.microsoft.com/en-us/library/cc784727(WS.10).aspx Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2009 7:21am
Is it possible to mark the keys as exportable for the standard templates on web enrollment somehow? Or do you always have to use the advanced certificate request to be able to get cerfiticates with exportable private keys? As we are trying to make things as easy as possible for our users, it would be really handy if one could export the private key from the certificate requested via "E-Mail Protection Certificate" template on the web enrollment. -- Ville
June 1st, 2009 7:56pm
It sounds like you want the CA to archive the private key. I know Enterprise CA's can do this; I don't know if Standalone CA's can.If you archive the private key on the CA then you can export the private key from the CA machine.On an enterprise CA, you would do this my going to the properties dialog of the CA and selecting the "Recovery Agents" tab and configuring one recovery agent. You'll need to verify if this is available on a standalone CA.Andrew
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2009 1:42am
Afaik that is not available for the Standalone CA and setting up an Enterprise CA at this time is not an option. -- Ville
June 2nd, 2009 11:12am