Exporting and Importing Root Certificates Lose Purpose and Friendly Name

Posted on 2009-05-11
Last Modified: 2012-05-06
I'm in the process of pushing out a root cert via group policy.  I notice that when I expot and then import the cert it loses the purpose field.  Instead of listing the purposes it can be used for it just is labeled <all> and the friendly name is blank.  Is there a reason the purpose field doesn't come over from an export/import?  Does it matter?
Question by:jpletcher1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 31

Accepted Solution

Paranormastic earned 250 total points
ID: 24358103
You've looked too deep into PKI...  this is where things stop making sense.

The friendly name does not stick when you move a root certificate and you cannot add another one.  Any other type of cert it can be modified but still doesn't like to stick when exported - just the way it is.  I've run across this before.

The 'purposes' are due to the fact that the 'Enhanced Key Usage' field gets ripped off when you export a CA cert - this does not seem to matter if it is root or not, any CA cert seems to experience this from what I have seen so far.  If you have additional OIDs labeled (ones that are not recognized - i.e. they still show up as the OID number), these will be carried forward, however, but the standard ones that are defined key usages do not remain, only the standard 'Key Usages' field will remain.

Generally neither of these matter beyond that it will bug you from now until eternity.  The 'purposes' are restrictions for what the CA cert is valid for - generally speaking it is not a big deal for this to not end up declaring itself as being more restrictive than it is actually configured to be.  The friendly name is just that - friendly.  You can go in and change the friendly name of any cert to be whatever you want it to be and it doesn't affect the functionality - its something nice to have but really it doesn't matter.

Author Comment

ID: 24358157
Thanks for the info.  So if I push this root cert out with group policy and it gets put in everyone's Trusted Root Cert list, it will exist there.  Then eventually when they get the MS root cert update they will get this same cert again, and from my testing it installs as another root cert so it will be in there twice.  The one I push through group policy will have the name, but nothing in the purpose and friendly name field and the one that comes from the root cert update will have the same name and these two fields populated.  I guess it probably doesn't matter that they both exist there, but aren't they the same cert?   And if so which one will the system use when it looks for it?

Author Closing Comment

ID: 31580183
Thanks for the info.  Little things like this not showing up after an expot do bug me, but if that's the way it is and it doesn't really affect anything then that's good enough.
LVL 31

Expert Comment

ID: 24369553
MS has some special way of conveying it and its a mess for anyone else to even think about trying to keep those fields.  Its easiest to just deploy the root cert update if the root you need is in that.  usually people ask this about their own root CA cert.

It doesn't which root is there - they both assert the same signature and are equally valid - one just looks a little prettier.  The digital signatures of the CA, the subject name, and the validity period are really the main parts that the certificate chaining engine cares about.

Author Comment

ID: 24369728
Yes, the February MS Root Cert upate patch will fill this for us, but we don't get those deployed as fast so I thought I'd just push this root cert via group policy.  It is a digicert root cert.  Thanks

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Make the most of your online learning experience.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question