Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 256
  • Last Modified:

Exporting and Importing Root Certificates Lose Purpose and Friendly Name

I'm in the process of pushing out a root cert via group policy.  I notice that when I expot and then import the cert it loses the purpose field.  Instead of listing the purposes it can be used for it just is labeled <all> and the friendly name is blank.  Is there a reason the purpose field doesn't come over from an export/import?  Does it matter?
0
jpletcher1
Asked:
jpletcher1
  • 3
  • 2
1 Solution
 
ParanormasticCryptographic EngineerCommented:
You've looked too deep into PKI...  this is where things stop making sense.

The friendly name does not stick when you move a root certificate and you cannot add another one.  Any other type of cert it can be modified but still doesn't like to stick when exported - just the way it is.  I've run across this before.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_23968611.html

The 'purposes' are due to the fact that the 'Enhanced Key Usage' field gets ripped off when you export a CA cert - this does not seem to matter if it is root or not, any CA cert seems to experience this from what I have seen so far.  If you have additional OIDs labeled (ones that are not recognized - i.e. they still show up as the OID number), these will be carried forward, however, but the standard ones that are defined key usages do not remain, only the standard 'Key Usages' field will remain.

Generally neither of these matter beyond that it will bug you from now until eternity.  The 'purposes' are restrictions for what the CA cert is valid for - generally speaking it is not a big deal for this to not end up declaring itself as being more restrictive than it is actually configured to be.  The friendly name is just that - friendly.  You can go in and change the friendly name of any cert to be whatever you want it to be and it doesn't affect the functionality - its something nice to have but really it doesn't matter.
0
 
jpletcher1Author Commented:
Thanks for the info.  So if I push this root cert out with group policy and it gets put in everyone's Trusted Root Cert list, it will exist there.  Then eventually when they get the MS root cert update they will get this same cert again, and from my testing it installs as another root cert so it will be in there twice.  The one I push through group policy will have the name, but nothing in the purpose and friendly name field and the one that comes from the root cert update will have the same name and these two fields populated.  I guess it probably doesn't matter that they both exist there, but aren't they the same cert?   And if so which one will the system use when it looks for it?
0
 
jpletcher1Author Commented:
Thanks for the info.  Little things like this not showing up after an expot do bug me, but if that's the way it is and it doesn't really affect anything then that's good enough.
0
 
ParanormasticCryptographic EngineerCommented:
MS has some special way of conveying it and its a mess for anyone else to even think about trying to keep those fields.  Its easiest to just deploy the root cert update if the root you need is in that.  usually people ask this about their own root CA cert.

It doesn't which root is there - they both assert the same signature and are equally valid - one just looks a little prettier.  The digital signatures of the CA, the subject name, and the validity period are really the main parts that the certificate chaining engine cares about.
0
 
jpletcher1Author Commented:
Yes, the February MS Root Cert upate patch will fill this for us, but we don't get those deployed as fast so I thought I'd just push this root cert via group policy.  It is a digicert root cert.  Thanks
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now