Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exporting and Importing Root Certificates Lose Purpose and Friendly Name

Posted on 2009-05-11
5
Medium Priority
?
255 Views
Last Modified: 2012-05-06
I'm in the process of pushing out a root cert via group policy.  I notice that when I expot and then import the cert it loses the purpose field.  Instead of listing the purposes it can be used for it just is labeled <all> and the friendly name is blank.  Is there a reason the purpose field doesn't come over from an export/import?  Does it matter?
0
Comment
Question by:jpletcher1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 1000 total points
ID: 24358103
You've looked too deep into PKI...  this is where things stop making sense.

The friendly name does not stick when you move a root certificate and you cannot add another one.  Any other type of cert it can be modified but still doesn't like to stick when exported - just the way it is.  I've run across this before.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_23968611.html

The 'purposes' are due to the fact that the 'Enhanced Key Usage' field gets ripped off when you export a CA cert - this does not seem to matter if it is root or not, any CA cert seems to experience this from what I have seen so far.  If you have additional OIDs labeled (ones that are not recognized - i.e. they still show up as the OID number), these will be carried forward, however, but the standard ones that are defined key usages do not remain, only the standard 'Key Usages' field will remain.

Generally neither of these matter beyond that it will bug you from now until eternity.  The 'purposes' are restrictions for what the CA cert is valid for - generally speaking it is not a big deal for this to not end up declaring itself as being more restrictive than it is actually configured to be.  The friendly name is just that - friendly.  You can go in and change the friendly name of any cert to be whatever you want it to be and it doesn't affect the functionality - its something nice to have but really it doesn't matter.
0
 

Author Comment

by:jpletcher1
ID: 24358157
Thanks for the info.  So if I push this root cert out with group policy and it gets put in everyone's Trusted Root Cert list, it will exist there.  Then eventually when they get the MS root cert update they will get this same cert again, and from my testing it installs as another root cert so it will be in there twice.  The one I push through group policy will have the name, but nothing in the purpose and friendly name field and the one that comes from the root cert update will have the same name and these two fields populated.  I guess it probably doesn't matter that they both exist there, but aren't they the same cert?   And if so which one will the system use when it looks for it?
0
 

Author Closing Comment

by:jpletcher1
ID: 31580183
Thanks for the info.  Little things like this not showing up after an expot do bug me, but if that's the way it is and it doesn't really affect anything then that's good enough.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24369553
MS has some special way of conveying it and its a mess for anyone else to even think about trying to keep those fields.  Its easiest to just deploy the root cert update if the root you need is in that.  usually people ask this about their own root CA cert.

It doesn't which root is there - they both assert the same signature and are equally valid - one just looks a little prettier.  The digital signatures of the CA, the subject name, and the validity period are really the main parts that the certificate chaining engine cares about.
0
 

Author Comment

by:jpletcher1
ID: 24369728
Yes, the February MS Root Cert upate patch will fill this for us, but we don't get those deployed as fast so I thought I'd just push this root cert via group policy.  It is a digicert root cert.  Thanks
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question