Generate a certificate with exportable private key

I've been struggling with generating a certificate with an exportable private key. I'm running Win 2008 as an enterprise cert server. I already created a template with a private key exportable. I've even tried the request.inf template route. I can generate certs with exportable keys that work fine for Win servers. I've been playing with OpenSSL, all to no avail.

Here's the steps:
I get a cert request from a Linux web server. I need to take this and generate a certificate that has the private key exportable. I need to supply the certificate that the Linux system can import as the webserver certificate. I also need to supply the private key. This will be used on an appliance that watches SSL traffic.

What I've tried:
Take the Linux-generated request. Go to the certserv web page. Go to Advanced. Go to supplying the request. Paste in the request (with no extra spaces or line returns). Select the correct template (WebServerPKE, which does work with Windows boxes). I receive the certificate. I send this to the Linux admin. This is the point where I have issues. I now need to convert this cert to where I can pull the private key. I've imported the cert into my Windows box, then exported a PFX certificate, which does have a key. It does not work.

What I'm looking for:
Step-by-step directions for generating the cert using a Linux-based supplied request on an enterprise certificate authority running on Windows 2008. Step-by-step directions for extracting the private key for this certificate.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
Usually on linux the cert request is made using openssl.  With this, you create the private key and then specify that private key when creating the cert request.  The private key is not part of the cert request.

This command creates the private key - it is in file YourSite.key
openssl genrsa -aes256 -out YourSite.key 2048

This command would then be issued next to create the CSR file:
openssl req -new -sha1 -key YourSite.key -out YourSite.csr

The YourSite.csr file is processed against the CA to get YourSite.cer certificate file.

If you need it to work on linux, that's all you need.  If you need that to work on a Windows box, too, then you want to create the request on the Windows box and then export it to .pfx to be used on other machines - if you need to separate it out into different files just ask.

It isn't common in linux apps to need to combine the private key & certificate file into a PKCS #12 file, but it does come up.  If so then run this to combine the cert and key into one P12 file:
openssl pkcs12 -export -in YourSite.cer -inkey YourSite.key -out YourSite.p12

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
Well the answer is in the first answer..

On linux you first need to combine the certificate + private key into a pfx (which is a pkcs#12 format file). which is the allready mentioned p12 file. Then you can import it into a windows store.

Just converting the certificate into a pfx makes it miss the private key, and thus unusable for server use.

guydemarcoAuthor Commented:
That was the piece I was missing. We were able to give the end user a cert and the private key. Thank you for your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.