Exporting and Importing Root Certificates Lose Purpose and Friendly Name

Posted on 2009-05-11
Last Modified: 2012-05-06
I'm in the process of pushing out a root cert via group policy.  I notice that when I expot and then import the cert it loses the purpose field.  Instead of listing the purposes it can be used for it just is labeled <all> and the friendly name is blank.  Is there a reason the purpose field doesn't come over from an export/import?  Does it matter?
Question by:jpletcher1
  • 3
  • 2
LVL 31

Accepted Solution

Paranormastic earned 250 total points
ID: 24358103
You've looked too deep into PKI...  this is where things stop making sense.

The friendly name does not stick when you move a root certificate and you cannot add another one.  Any other type of cert it can be modified but still doesn't like to stick when exported - just the way it is.  I've run across this before.

The 'purposes' are due to the fact that the 'Enhanced Key Usage' field gets ripped off when you export a CA cert - this does not seem to matter if it is root or not, any CA cert seems to experience this from what I have seen so far.  If you have additional OIDs labeled (ones that are not recognized - i.e. they still show up as the OID number), these will be carried forward, however, but the standard ones that are defined key usages do not remain, only the standard 'Key Usages' field will remain.

Generally neither of these matter beyond that it will bug you from now until eternity.  The 'purposes' are restrictions for what the CA cert is valid for - generally speaking it is not a big deal for this to not end up declaring itself as being more restrictive than it is actually configured to be.  The friendly name is just that - friendly.  You can go in and change the friendly name of any cert to be whatever you want it to be and it doesn't affect the functionality - its something nice to have but really it doesn't matter.

Author Comment

ID: 24358157
Thanks for the info.  So if I push this root cert out with group policy and it gets put in everyone's Trusted Root Cert list, it will exist there.  Then eventually when they get the MS root cert update they will get this same cert again, and from my testing it installs as another root cert so it will be in there twice.  The one I push through group policy will have the name, but nothing in the purpose and friendly name field and the one that comes from the root cert update will have the same name and these two fields populated.  I guess it probably doesn't matter that they both exist there, but aren't they the same cert?   And if so which one will the system use when it looks for it?

Author Closing Comment

ID: 31580183
Thanks for the info.  Little things like this not showing up after an expot do bug me, but if that's the way it is and it doesn't really affect anything then that's good enough.
LVL 31

Expert Comment

ID: 24369553
MS has some special way of conveying it and its a mess for anyone else to even think about trying to keep those fields.  Its easiest to just deploy the root cert update if the root you need is in that.  usually people ask this about their own root CA cert.

It doesn't which root is there - they both assert the same signature and are equally valid - one just looks a little prettier.  The digital signatures of the CA, the subject name, and the validity period are really the main parts that the certificate chaining engine cares about.

Author Comment

ID: 24369728
Yes, the February MS Root Cert upate patch will fill this for us, but we don't get those deployed as fast so I thought I'd just push this root cert via group policy.  It is a digicert root cert.  Thanks

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now