Solved

IIS 5, Private Key

Posted on 2002-04-08
3
405 Views
Last Modified: 2010-04-13
To make a long story short, the "All Users.WINNT" folder in a Win2k Server machine with IIS 5 got deleted.

Whenever I try to export the private key & certificate (for the 2nd one we were issued) it says it's not exportable (this was not restored from a previous backup with the "exportable" option unchecked).

I have a .pfx backup of the 1st certificate we were issued, which contains both the private key & certificate.

My question is, do all certificates use the same private key (e.g. is the private key unique for every server, for for every certificate)?  If they do, does anyone know of a way to join the private key from the 1st certificate to the 2nd one?  That might mean "hacking" into the OS, but if anyone knows of anything I'd be really happy. :)

I was reading about the metabase IIS uses where everything is stored.  Before I spend hours programming something I'd like to know if there's already a program that will do it and if it's even possible through the metabase API in the Win2k SDK.

I'd even be willing to give more than 300 points through another question if you can fix it for me.  What sucks is that we got the certificate a month ago and won't expire for some time.  And yes, I know to back it up next time--I'm somewhat new to SSL.
0
Comment
Question by:NelsonR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:NelsonR
ID: 6926573
Here's an idea:
http://www.cashcow.dk/Home/faq.html

I do have a Hex editor.  The problem is I couldn't find "private-key", but I did find several "30 82"s.  Maybe it's for an older version, but it might help other people out there. :)
0
 
LVL 32

Accepted Solution

by:
jhance earned 300 total points
ID: 6926659
>>My question is, do all certificates use the same private
>>key (e.g. is the private key unique for every
>>server, for for every certificate)?  

No. With SSL (which uses RSA public key crypto) there is a 1:1 relationship between public and private keys.  Any public key has one and only one private key.  Otherwise the system would be unworkable.


>>...know of a way to join the private key from
>>the 1st certificate to the 2nd one?  That might
>>mean "hacking" into the OS, but if anyone knows of
>>anything

No way here.  The 1st cert uses a DIFFERENT private key from the 2nd one.  It MUST be that way, otherwise the 2nd public key would be identical to the first.  A new private key was generated with your CSR (Certificate Signing Request).  

>>I'd be really happy. :)

Hmmm, you might be less happy if what you want to do was practical.  I would mean that your SSL cert is insecure.  About the only approach that I can think of would be a brute-force attempt to crack the keys.  If you try all the possible private keys (unfortunately there are a lot of them!!) you'll have it.  

Practically, however, you're going to have to generate a NEW CSR (and with it a new private key) and then get a new SSL cert.  Yes, you'll probably have to pay for a new one and you might try pleading your case with VeriSign or Thawte (or whoever made your cert) but don't expect to get any favors from them.  I'm sure they get sob stories all the time....

I'd chalk this up to a learning experience about the value of backups....
0
 

Author Comment

by:NelsonR
ID: 6926735
As I said, I'm somewhat new to SSL so I didn't know how it all worked.  I now know how to back it up (and believe me, I will! :).  I've actually learned quite a bit about keys, etc. since this happened.

I don't think Thawte will buy it because it has been more than 30 days.

About brute force, http://www.allcondoms.com/ssl_security.htm talks some about it (I just did a search on google, don't ask about allcondoms.com).  I don't think I'll try that anytime soon, especially with 128 bit keys (2^128 is a BIG number).

Anyway, I now know how they work.. sucks to be me. :)  But then again, $200 isn't that much and I can live with it.
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Originally, this post was published on Monitis Blog, you can check it here . Websites are getting bigger and more complicated by the day. Video, images and custom fonts are all great for showcasing your product or service. But the price to pay in…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question