CA Backup -> Private key is NOT exportable

[Juan]

Hi,

at the moment I'm testing Backup of a W2K8 CA. I used certutil to backup the
key using the following syntax:

certutil -f -backupkey C:\CertBackup

I only get one file. With certutil filename I got message that "Private key
is NOT exportable".

How can I change this behavour?

Many thanks in advance

Juan

[Brian Komar (MVP)]

How did you generate the CA certificate? By default, a software-based CSP
will store the certificate in an exportable format on the machine.
1) Are you using an HSM? For an HSM, yuou cannot use certutil -backupkey,
you have to backup based on the HSM that you have using their native
routines or file system copy.
2) Did you import the certificate from a PKCS#12. If so, you had to enable
the private key export option at the time of import.
Brian

"Juan" <Ju...@discussions.microsoft.com> wrote in message
news:43EFB02C-3897-43F2...@microsoft.com...

[Mounir IDRASSI]

Hi,

If your private key/certificate were created using a Microsoft CSP, you can
use the free tool JailBreak from iSEC : it will help you export certificates
and key pairs even if they were marked as "Not Exportable" upon their
creation. You can get it from the following link :

http://www.isecpartners.com/jailbreak.html

I have tested it and it works like a charm...

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

To reach me: mounir_idrix_fr (replace the underscores with the at and dot
characters respectively)

[Brian Komar (MVP)]

Nice tool!
I guess this is another reason that I recommend HSMs for private key
protection. You just cannot secure a software-based machine key
Brian

"Mounir IDRASSI" <moon...@newsgroups.nospam> wrote in message
news:BD679D02-5929-4EA6...@microsoft.com...