Generate a certificate with exportable private key

Posted on 2010-03-26
Medium Priority
Last Modified: 2013-12-04
I've been struggling with generating a certificate with an exportable private key. I'm running Win 2008 as an enterprise cert server. I already created a template with a private key exportable. I've even tried the request.inf template route. I can generate certs with exportable keys that work fine for Win servers. I've been playing with OpenSSL, all to no avail.

Here's the steps:
I get a cert request from a Linux web server. I need to take this and generate a certificate that has the private key exportable. I need to supply the certificate that the Linux system can import as the webserver certificate. I also need to supply the private key. This will be used on an appliance that watches SSL traffic.

What I've tried:
Take the Linux-generated request. Go to the certserv web page. Go to Advanced. Go to supplying the request. Paste in the request (with no extra spaces or line returns). Select the correct template (WebServerPKE, which does work with Windows boxes). I receive the certificate. I send this to the Linux admin. This is the point where I have issues. I now need to convert this cert to where I can pull the private key. I've imported the cert into my Windows box, then exported a PFX certificate, which does have a key. It does not work.

What I'm looking for:
Step-by-step directions for generating the cert using a Linux-based supplied request on an enterprise certificate authority running on Windows 2008. Step-by-step directions for extracting the private key for this certificate.
Question by:guydemarco
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 28718248
Usually on linux the cert request is made using openssl.  With this, you create the private key and then specify that private key when creating the cert request.  The private key is not part of the cert request.

This command creates the private key - it is in file YourSite.key
openssl genrsa -aes256 -out YourSite.key 2048

This command would then be issued next to create the CSR file:
openssl req -new -sha1 -key YourSite.key -out YourSite.csr

The YourSite.csr file is processed against the CA to get YourSite.cer certificate file.

If you need it to work on linux, that's all you need.  If you need that to work on a Windows box, too, then you want to create the request on the Windows box and then export it to .pfx to be used on other machines - if you need to separate it out into different files just ask.

It isn't common in linux apps to need to combine the private key & certificate file into a PKCS #12 file, but it does come up.  If so then run this to combine the cert and key into one P12 file:
openssl pkcs12 -export -in YourSite.cer -inkey YourSite.key -out YourSite.p12
LVL 41

Expert Comment

ID: 28910945
Well the answer is in the first answer..

On linux you first need to combine the certificate + private key into a pfx (which is a pkcs#12 format file). which is the allready mentioned p12 file. Then you can import it into a windows store.

Just converting the certificate into a pfx makes it miss the private key, and thus unusable for server use.


Author Closing Comment

ID: 31707614
That was the piece I was missing. We were able to give the end user a cert and the private key. Thank you for your help.

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

You do not need to be a security expert to make the RIGHT security. You just need some 3D guidance, to help lay out an action plan to secure your business operations. It does not happen overnight. You just need to start now and do the first thin…
A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question