| Author |
Message |
Stuart Mackie [MCP, MSP]
Guest
|
 Posted:
Sun Jan 09, 2005 1:50 am Post subject:
Generate/Export PKCS #12 certificate from Win2k3 CA |
|
|
Hi. I am using a 3rd party VPN client which requires a PKCS #12 certificate
(*.p12) for use with RSA-Cert VPN connections. So far I have generated a
certificate on our Win2k3 CA using the User Certificate Template, enabled
'Mark keys as exportable' and enabled strong private key protection. The
request format is set for CMC and the Hash is SHA-1.
Following this I can export two files, one is the .cer and the other is .pvk
(private key). The format required for the VPN client (from what I've been
informed so far) is PKCS #12 which would be .p12. I haven't managed to find
much documentation online which explains the different file types, since I
thought the .cer included PKCS #12.
Is it possible to export the required .p12 certificate from a Win2k3 CA ?
Thanks for any help,
Stuart. |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Sun Jan 09, 2005 2:09 am Post subject:
Re: Generate/Export PKCS #12 certificate from Win2k3 CA |
|
|
Windows 2003 CA would be able to do what you want. The .pfx file is the one
you need as it will include the private key. See the link below for more
info.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CMimportExport.asp
http://tinyurl.com/532uy -- same link as above shorter.
The .cer file contains only the public key and my be useful if you need to
import/export the issuing CA certificate to the trusted root certificate
store on the client computer via the computer or user mmc certificates
snapin/trusted root folder - import. Just clicking a .cer or .pfx file will
start the installation wizard but you want to verity that the certificate is
installed in the correct store - user or computer.
When you export the private key you will need to use a password to protect
the sensitive private key in the .pfx file. Also select the option to export
all certificates in the chain which may make installing the CA certificate
easier. Keep in mind that user certificates are used for "user"
authentication and if your VPN client is l2tp you probably need a "computer"
certificate as l2tp requires certificate computer authentication in addition
to user authentication. --- Steve
"Stuart Mackie [MCP, MSP]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com>
wrote in message news:eTvs5tb9EHA.3616@TK2MSFTNGP11.phx.gbl...
| Quote: | Hi. I am using a 3rd party VPN client which requires a PKCS #12
certificate (*.p12) for use with RSA-Cert VPN connections. So far I have
generated a certificate on our Win2k3 CA using the User Certificate
Template, enabled 'Mark keys as exportable' and enabled strong private key
protection. The request format is set for CMC and the Hash is SHA-1.
Following this I can export two files, one is the .cer and the other is
.pvk (private key). The format required for the VPN client (from what
I've been informed so far) is PKCS #12 which would be .p12. I haven't
managed to find much documentation online which explains the different
file types, since I thought the .cer included PKCS #12.
Is it possible to export the required .p12 certificate from a Win2k3 CA ?
Thanks for any help,
Stuart.
|
|
|
| Back to top |
|
|
Stuart Mackie [MCP, MSP]
Guest
|
| Posted:
Sun Jan 09, 2005 5:09 am Post subject:
Re: Generate/Export PKCS #12 certificate from Win2k3 CA |
|
|
Hi Steve, thanks for your reply. I've had a read through that document
while searching for a solution. To export the certificate I've logged in as
the user who generated the certificate, opened an console with Certificate
snap-in and found the certificate located in "Certificates - Current
User\Active Directory User Object\Certificates". When I then try and export
the certificate the PKCS #12 options are greyed out. I definately selected
"Mark keys as exportable" when I created the certificate.
Should the certificate be installed in Activey Directory User Object or
should it have been in Personal Certificates ? (when I created the
Certificate I allowed the CA to Auotmatically decide on where to place the
Cert, should I specify the location instead ?)
Thanks again,
Stuart.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uwUus3b9EHA.1564@TK2MSFTNGP09.phx.gbl...
| Quote: | Windows 2003 CA would be able to do what you want. The .pfx file is the
one you need as it will include the private key. See the link below for
more info.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CMimportExport.asp
http://tinyurl.com/532uy -- same link as above shorter.
The .cer file contains only the public key and my be useful if you need to
import/export the issuing CA certificate to the trusted root certificate
store on the client computer via the computer or user mmc certificates
snapin/trusted root folder - import. Just clicking a .cer or .pfx file
will start the installation wizard but you want to verity that the
certificate is installed in the correct store - user or computer.
When you export the private key you will need to use a password to protect
the sensitive private key in the .pfx file. Also select the option to
export all certificates in the chain which may make installing the CA
certificate easier. Keep in mind that user certificates are used for
"user" authentication and if your VPN client is l2tp you probably need a
"computer" certificate as l2tp requires certificate computer
authentication in addition to user authentication. --- Steve
"Stuart Mackie [MCP, MSP]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com
wrote in message news:eTvs5tb9EHA.3616@TK2MSFTNGP11.phx.gbl...
Hi. I am using a 3rd party VPN client which requires a PKCS #12
certificate (*.p12) for use with RSA-Cert VPN connections. So far I have
generated a certificate on our Win2k3 CA using the User Certificate
Template, enabled 'Mark keys as exportable' and enabled strong private
key protection. The request format is set for CMC and the Hash is SHA-1.
Following this I can export two files, one is the .cer and the other is
.pvk (private key). The format required for the VPN client (from what
I've been informed so far) is PKCS #12 which would be .p12. I haven't
managed to find much documentation online which explains the different
file types, since I thought the .cer included PKCS #12.
Is it possible to export the required .p12 certificate from a Win2k3 CA
?
Thanks for any help,
Stuart.
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Sun Jan 09, 2005 7:04 am Post subject:
Re: Generate/Export PKCS #12 certificate from Win2k3 CA |
|
|
OK. So you selected the option to have private keys exportable but that
option was not available when you went to export the certificate. Installing
the certificate in AD is fine. That just means a copy is where others in the
domain can find your public key but the actual private key is on the
computer where it was installed in the certificate store. I would check the
certificate general page to make sure that it states at the bottom "you have
a private key that corresponds to this certificate" and check the date and
time to make sure that is the certificate you think it is and check the CA
Management Console for issued certificates to see if it shows as being
issued. Also check the computer certificate store on the computer to see if
it ended up there for some reason. Note that using strong key protection
will require the user to input the password for the .pfx file every time the
private key is used which may or may not be desirable. If still having a
problem try the whole procedure again to request and install a certificate.
If you are using an enterprise CA, try creating a duplicate template of the
user's template and configure that template to allow private keys to be
exportable and add it to the certificate templates that can be issued. Then
request that certificate via the mmc user certificates snapin by selecting
personal folder, right clicking and selecting request new certificate. I
can't think offhand a reason why the certificate/private key would not be
exportable if it was issued that way. I would also try the same as an
administrator to see if that makes any difference. --- Steve
"Stuart Mackie [MCP, MSP]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com>
wrote in message news:OWVl9cd9EHA.3368@TK2MSFTNGP10.phx.gbl...
| Quote: | Hi Steve, thanks for your reply. I've had a read through that document
while searching for a solution. To export the certificate I've logged in
as the user who generated the certificate, opened an console with
Certificate snap-in and found the certificate located in "Certificates -
Current User\Active Directory User Object\Certificates". When I then try
and export the certificate the PKCS #12 options are greyed out. I
definately selected "Mark keys as exportable" when I created the
certificate.
Should the certificate be installed in Activey Directory User Object or
should it have been in Personal Certificates ? (when I created the
Certificate I allowed the CA to Auotmatically decide on where to place the
Cert, should I specify the location instead ?)
Thanks again,
Stuart.
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uwUus3b9EHA.1564@TK2MSFTNGP09.phx.gbl...
Windows 2003 CA would be able to do what you want. The .pfx file is the
one you need as it will include the private key. See the link below for
more info.
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_CMimportExport.asp
http://tinyurl.com/532uy -- same link as above shorter.
The .cer file contains only the public key and my be useful if you need
to import/export the issuing CA certificate to the trusted root
certificate store on the client computer via the computer or user mmc
certificates snapin/trusted root folder - import. Just clicking a .cer or
.pfx file will start the installation wizard but you want to verity that
the certificate is installed in the correct store - user or computer.
When you export the private key you will need to use a password to
protect the sensitive private key in the .pfx file. Also select the
option to export all certificates in the chain which may make installing
the CA certificate easier. Keep in mind that user certificates are used
for "user" authentication and if your VPN client is l2tp you probably
need a "computer" certificate as l2tp requires certificate computer
authentication in addition to user authentication. --- Steve
"Stuart Mackie [MCP, MSP]" <newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com
wrote in message news:eTvs5tb9EHA.3616@TK2MSFTNGP11.phx.gbl...
Hi. I am using a 3rd party VPN client which requires a PKCS #12
certificate (*.p12) for use with RSA-Cert VPN connections. So far I
have generated a certificate on our Win2k3 CA using the User Certificate
Template, enabled 'Mark keys as exportable' and enabled strong private
key protection. The request format is set for CMC and the Hash is
SHA-1.
Following this I can export two files, one is the .cer and the other is
.pvk (private key). The format required for the VPN client (from what
I've been informed so far) is PKCS #12 which would be .p12. I haven't
managed to find much documentation online which explains the different
file types, since I thought the .cer included PKCS #12.
Is it possible to export the required .p12 certificate from a Win2k3 CA
?
Thanks for any help,
Stuart.
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in