Backup certificate when "Mark key as exportable" was not choosen ?
Eric
I have created a certificate through the webpage of my standalone
Microsoft root CA (/certsrv).
I want to backup the certificate generated (pair private/public keys).
By default, the "Mark key as exportable" was not choosen.
My question is "How can I backup my certificate ?"
If I make an "export" from the certificate MMC, it will not export the
private key so how can I do to export both ?
Thank you
--
Eric
Brian Komar (MVP)
exportable when you generated the certificate request. The decision to make
a certificate's private key exportable can only be done at the time the key
pair is generated, not afterwards.
Brian
"Eric" <Eri...@nospam.hotmail.com> wrote in message
news:mn.0b877d89a...@nospam.hotmail.com...
Eric
Can you please explain to me how can I do if, for example, my webserver
crashed and I need to restore the certificate (public/private keys) to
another webserver ?
Thank you
> back in time and indicate that the private key was to be exportable when you
> generated the certificate request. The
--
Eric
Paul Adare - MVP
> Thank you Brian.
>
> Can you please explain to me how can I do if, for example, my webserver
> crashed and I need to restore the certificate (public/private keys) to
> another webserver ?
>
> Thank you
Just issue a new certificate. There's no persistent data being encrypted so
there's really no need to be able to recover the private key from the
certificate. Revoke the old one and issue a new one.
>
>> back in time and indicate that the private key was to be exportable when you
>> generated the certificate request. The
--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
The determined programmer can write a FORTRAN program in any language.
Eric
What is the most secure method for you ?
- Create a backup of the certificate (private and public keys by
marking the "mark key as exportable")
or
- Renew the certificate for the server (if a crash happened) ?
(I am using a Standalone CA, so the renewal method will not be very
easy).
Thank you
> On Mon, 01 Sep 2008 15:34:27 +0200, Eric wrote:
>
>> Thank you Brian.
>>
>> Can you please explain to me how can I do if, for example, my webserver
>> crashed and I need to restore the certificate (public/private keys) to
>> another webserver ?
>>
>> Thank you
>
> Just issue a new certificate. There's no persistent data being encrypted so
> there's really no need to be able to recover the private key from the
> certificate. Revoke the old one and issue a new one.
>
>>
>>> back in time and indicate that the private key was to be exportable when
>>> you generated the certificate request. The
--
Eric
Brian Komar (MVP)
How many people have local Admin on the server? Each one could export and
take the cert.
But, it is really up to you.
Brian
"Eric" <Eri...@nospam.hotmail.com> wrote in message
news:mn.0bb37d899...@nospam.hotmail.com...
Eric
export is not available.
Thanks
--
Eric
Eric
If my server crashed, I dont think that the renewal method will work
easily but please tell me if I am wrong.
Indeed, when I try to renew the certificate (with or without the same
keys), I have an error "This certificate cannot be renewed because it
does not contain enough information to generate a renewal request"
I have read this KB http://support.microsoft.com/kb/929103/en-us, but
it is more associated to EFS issue and I dont know how can it be done
for webserver certificate.
If you can help me... :D
Thanks
Alun Jones
> Another little question please.
>
> If my server crashed, I dont think that the renewal method will work
> easily but please tell me if I am wrong.
>
> Indeed, when I try to renew the certificate (with or without the same
> keys), I have an error "This certificate cannot be renewed because it does
> not contain enough information to generate a renewal request"
In that case, as Brian said, just issue a new certificate. You don't need
the old key (which is the only noteworthy difference between issuing a new
certificate and renewing an existing certificate), so don't pine over its
loss.
You need to design your PKI aproach around what you will do in the case of
loss or damage. Sometimes, as in this case, the acceptable answer is "throw
away the old key, generate a new one". If you have to keep the old key
around (which is generally only necessary if you have persistent encrypted
data, not SSL sessions), then you will need to have a strategy that involves
secured offline storage of the key.
One such technique is to request the key from a physically secured machine,
but request it with the 'mark private keys as exportable' option checked.
Then, from that machine, export the certificate as a password-protected PFX
file to a floppy disk or USB drive. Delete the certificate and private key
from the secured machine, and use the device containing the PFX file to
install the key to the servers that need it (making sure not to mark the
private keys as exportable when importing onto the server), and finally
storing the device in a locked safe, where it remains secured, but available
when needed for recovery.
Then document how to recover it, because it may not be you that recovers the
key!
Alun.
~~~~
Eric
> (making sure not to mark the private keys as exportable when importing onto
> the server), and finally storing the device in a locked safe, where it
> remains
Thanks Alun for those nice advices ! =))
--
Eric
S. Pidgorny <MVP>
There's just one more thing: the non-exportable certificates can in fact
be exported, because the OS mechanisms that prevent the export aren't a
security boundary (unless the cert is in specialised hardware storage
like HSM or smart card)
http://www.isecpartners.com/jailbreak.html
s.
Eric
Thank you for sharing your knowledge Slav :)
--
Eric
