Unable to export certificates as personal information exchange-PKCS #12 (. pfx) File Format

Source: Internet
Author: User
Tags pfx file
Http://www.networksteve.com/forum/topic.php/Unable_to_Export_certificates_as_Personal_Information_Exchange? Topicid = 5343 & posts = 6 we are using Windows 2003 certificate authorities, and we are unable to export certificates. pfx, our only options are, DER encoded binary X.509 (. CER), base-64 encoded X.509 (. CER), or cryptographic message syntax standard-PKCS #7 certificates (. p7b ). the. pfx option is grayed out in the certificate export wizard on the CA. this posses a problem because our windows 2008 server running IIS 7 wants us to import a certificate. pfx Can someone explain what is happening and how to fix it pleasefebruary 18th, 2010 pm

Too late to fix the existing. your certificate template must allow export of private key (enable the option on the Request Handling tab-if I remember correctly ). the ability to export the private key is determined at the time of key generation (prior to creation of the actual certificate ). can you tell me more about your scenario? In each case, IIS can have different certificates in a lbs cluster, as long as the subject information is identical on each node. that being said, there are some apps that do require the same certificate. in those cases, you need to move towards Custom requests (not domain requests) that request a custom certificate template that enables key exportbrianfebruary 19th, 2010 AM

Thank you Brian for the quick reply. I do have a check box in the "allow private key to be exported" section on the Request Handling tab, that's why this is driving me crazy. well all this was prompted by an error when trying to use IIS on a Windows Server 2008 to request a domain certificate from a Windows 2003 ca. create certificate the certificate request was submitted to the online authority, but was not issued, the request was denied. I have permissions on the template set to: Authenticated Users-read, write, enroll the2008server $-read, write, enroll Domain Admins-read, write, enroll domain computers-read, write, enroll I am able to run the certificate MMC and request it that way and it works. february 19th, 2010 AM

You cannot do a domain request as it is hard coded to request the Web server certificate template, not your custom template that you have created that enables key export. -You can verify this by doing a dump of the binary request that failed. check out the actual certificate template requestedbrianfebruary 19th, 2010 AM

Dope, thank you very much Brian that explanation helps a lot, I wish the error message said that instead of "check your permissions you idiot" you don't know how much hair I lost trying to troubleshoot thisfebruary 19th, 2010 pm

OK, I don't mean to beat a dead horse to death,... on my Windows Server 2003 Enterprise Edition SP2 Certificate Authority server I launch the Certificate Authority MMC, I click on issued certificates, then I find and click on the Web server certificate I issued to a Windows 2008 Server Standard Edition SP2 based on a duplicated template version 100.7 with the export Private Key Enabled feature on, then I click on the Details tab and copy to file button, that launches the certificate export wizard I click on next and the personal information exchange-pk# 12 (. pfx) is grayed out... but... when I go to the Windows 2008 Server Standard Edition SP2 that got the certificate and launch the certificate MMC and go to certificates (Local Computer) \ personal \ certificates and doble click on the issued certificate then go to the Details tab click on copy to file button and launch the certificate export wizard, click Next, say yes, export the private key, click Next, then the Personal Information Exchange-PKC #12 (. pfx) is available. that makes absolutely no sense to me I reissued the CERT a few times and same result every time. february 19th, 2010

This means that Microsoft listened when people stated that they wanted to be able to export web server certificates. in the * newer * build, you are able to do that. in the * Older * build you cannotremember what I said earlier, the demo-whether the private key is exportable is made ** before ** the request is event sent to the CA. you can override this option in the certificate template. so Windows Server 2008 does. windows Server 2003 does not. brianfebruary 20th, 2010 AM

Greg --
The private key doesn't exist on the CA, but it does exist on the computer on whic you created the request. Here's what happens when you request a certificate.

If you're generating a request with a new key pair -- which you will in the vast majority of cases -- windows first generates the Public and private key pair. the private key is written to a key store. where the key store is located will depend on which
Cryptographic Service Provider (CSP) or key storage provider (KSP) is specified in the template. ksps were introduced in Windows Server 2008/Vista, and are only available in V3 templates. in the case of most of the default Microsoft CSP/ksps (with the exception
Of those used with smart cards), the key store is located in either the user's profile, or in the case of computer certificates, the All Users profile. it is at this point, by the way, that the properties of that private key are also written to the key store.
One Property of interest to you immediately is whether or not Windows shocould allow the private key to be exported.
Once the key pair is generated, the request is then created. the request contains the information that shocould be in the certificate. this information is generally specified by the template with the exception of the Subject field, which contains the common
Name or distinguished name of whoever is requesting the certificate. in the case of IIS, the subject will be your site name. the Public Key is wrongly ded in the request. windows then signs the request with the newly created private key.

Windows also creates a dummy certificate object in the Certificate Enrollment requests store so that it knows that there is an outstanding request.
At this point, the request is saved to a file or sent to an online ca depending on how you generate the request. Note that the private key is
Not sent to the CA in most cases. the exception to this rule occurs when you have key archival enabled on the CA, And the template specifies that the private key shocould be archived in the CA database. if this is the case, Windows Retrieves
The CA exchange certificate from the CA and uses the public key in that certificate to encrypt the newly created private key. This encrypted private key is stored in the request.
Once the CA has es the request, it processes that request to determine if it shoshould issue the certificate or not. in the case of the Enterprise CA, this demo-is Based on the permissions on the template. one can also specify that certain templates
Require ca manager approval before they can be issued. assuming that everything is correct in the request, and that the necessary information can be retrieved from Active Directory (perhaps the user's email address, or the computer's DNS host name -- It depends
On the settings in the template), and that any CA manager approvals specified in the template have been stored med, the Ca builds the certificate and signs it with its current private key. the certificate has been created.

This certificate is stored in the CA database, which is why you can export it in the Certificate Authority snap-in. if the encrypted private key for that certificate has been encoded in the request to be archived, the Ca decrypts it first with its ca exchange
Private Key, and then re-encrypts it using the public key (s) for any key recovery agents configured on the CA. the newly encrypted private key is also stored in the CA database. note that this encrypted private key can only be retrieved and decrypted
By a valid KRA. the CA then returns the certificate to Principal who requested it. if the request was first saved as a file and then submitted to the ca you have to retrieve the certificate manually. it is only returned automatically if you submitted the request via
Certificiates MMC, or if the application you use to submit the request retrieves it for you. IIS does this, when you use the certificate request Wizard to request a web server certificate.
When the client has ed the certificate, it locates the dummy certificate object in the Certificate Enrollment requests store. from this object, Windows copies the location of the key store for the private key (among other things ). this dummy Certificate
Object is then deleted, and the new certificate is imported into the personal store. the private key information is then written to an internal property of the certificate in the store. this is how Windows locates the private key of that certificate in order
To use it when you invoke the associated certificate.

When you go to export the certificate and private key, Windows reads the private key locate information from the certificate properties in order to find the key store wherein it is located. assuming export is allowed, the certificate and private key are written
To a password protected pfx file.
That's how a certificate request gets turned into a certificate, and explains why the private key doesn't exist on the CA. if you need to generate a pfx file, then you'll have to export the certificate from the computer on which you generated the request.
Hope this helps.
Jonathan Stephen sjonathan Stephen sapril 19th, 2010 AM

Jonathan,

That was really helpful, but I am still having issues with the export.

I am pretty much on the same situation, and no matter what, I can't export the private key. I have setup the template to archive the key, export the key, but still, it's not letting me export the key. I also tried to export from the machine where I installed
The certificate but no luck.

I am trying to deploy the wireless security using computer certificate, and I don't thing it will work without the Private Key installed on the machine.

Thanks,
Julu007january 8th, 2011

Click on the issued certificate and copy to a file.

Double click the newly created file and select "Install Certificate"

The import wizard opens, select next.

Select "automatically select the certificate store...", click Next

Click Finish

Now go to MMC and add snapin.

Click certificates and select certificates-my user account, click Finish

Now go into certificates-current user

Personal

Certificates

Right click the certificate you just imported and select Export

Select next

You can now export the. pfx file with password. March 24th, 2011 pm

This topic is archived. No further replies will be accepted.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.