Exporting and Importing Root Certificates Lose Purpose and Friendly Name

Posted on 2009-05-11
Medium Priority
Last Modified: 2012-05-06
I'm in the process of pushing out a root cert via group policy.  I notice that when I expot and then import the cert it loses the purpose field.  Instead of listing the purposes it can be used for it just is labeled <all> and the friendly name is blank.  Is there a reason the purpose field doesn't come over from an export/import?  Does it matter?
Question by:jpletcher1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 31

Accepted Solution

Paranormastic earned 1000 total points
ID: 24358103
You've looked too deep into PKI...  this is where things stop making sense.

The friendly name does not stick when you move a root certificate and you cannot add another one.  Any other type of cert it can be modified but still doesn't like to stick when exported - just the way it is.  I've run across this before.

The 'purposes' are due to the fact that the 'Enhanced Key Usage' field gets ripped off when you export a CA cert - this does not seem to matter if it is root or not, any CA cert seems to experience this from what I have seen so far.  If you have additional OIDs labeled (ones that are not recognized - i.e. they still show up as the OID number), these will be carried forward, however, but the standard ones that are defined key usages do not remain, only the standard 'Key Usages' field will remain.

Generally neither of these matter beyond that it will bug you from now until eternity.  The 'purposes' are restrictions for what the CA cert is valid for - generally speaking it is not a big deal for this to not end up declaring itself as being more restrictive than it is actually configured to be.  The friendly name is just that - friendly.  You can go in and change the friendly name of any cert to be whatever you want it to be and it doesn't affect the functionality - its something nice to have but really it doesn't matter.

Author Comment

ID: 24358157
Thanks for the info.  So if I push this root cert out with group policy and it gets put in everyone's Trusted Root Cert list, it will exist there.  Then eventually when they get the MS root cert update they will get this same cert again, and from my testing it installs as another root cert so it will be in there twice.  The one I push through group policy will have the name, but nothing in the purpose and friendly name field and the one that comes from the root cert update will have the same name and these two fields populated.  I guess it probably doesn't matter that they both exist there, but aren't they the same cert?   And if so which one will the system use when it looks for it?

Author Closing Comment

ID: 31580183
Thanks for the info.  Little things like this not showing up after an expot do bug me, but if that's the way it is and it doesn't really affect anything then that's good enough.
LVL 31

Expert Comment

ID: 24369553
MS has some special way of conveying it and its a mess for anyone else to even think about trying to keep those fields.  Its easiest to just deploy the root cert update if the root you need is in that.  usually people ask this about their own root CA cert.

It doesn't which root is there - they both assert the same signature and are equally valid - one just looks a little prettier.  The digital signatures of the CA, the subject name, and the validity period are really the main parts that the certificate chaining engine cares about.

Author Comment

ID: 24369728
Yes, the February MS Root Cert upate patch will fill this for us, but we don't get those deployed as fast so I thought I'd just push this root cert via group policy.  It is a digicert root cert.  Thanks

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question