?
Solved

SSL 101 private key

Posted on 2011-10-10
6
Medium Priority
?
466 Views
Last Modified: 2012-05-12
I received 2 web certificates from godaddy, both are crt type certificates. I'm trying to import these certificates into a different server to the one that generated the certificate request. questions are

1. Where exactly is the private located ?
2. does it get created once the certificates are imported into the server? or when the certificate request gets generated?

i'm just trying to find information on private when a request is made for one to a 3rd party CA

http://serverfault.com/questions/304962/where-is-an-ssl-private-key-stored 
0
Comment
Question by:Delmiroc
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:Shmoid
ID: 36945637
The location the private key is stored depends on the OS.  Windows stores private keys in an encrypted format at one of the following locations:

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\
C:\Documents and Settings\UserA\Application Data\Microsoft\Crypto\RSA\[UserA's SID]\

Unix/Linux stores the key where ever you tell it to when creating the request.

The private key is generated when you create the CSR on a windows computer. You can use third party tools to create a key pair first and then generate the CSR but if you do it using the windows GUI it all happens at once.

On Unix/Linux it is typical to use openSSL to generate a key pair and then create a CSR.
0
 
LVL 1

Author Comment

by:Delmiroc
ID: 36945691
in the past I have been able to use certificates CRT from go daddy on servers other than the one that made the initial certificate request, and I have been able to use the certs fine, just did an import of the certs into IIS. there must be an private key when I did that right? where would that be?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36946351
If you generated the CSR in IIS then you must complete the request on the same server where the CSR was generated. You could then export as a PKCS #12 file (.pfx) which could then be imported to a different server and it would work fine.  

You could also generate a key pair outside IIS for example with OpenSSL (command line) or KeyStore Explorer (GUI) then generate a CSR and import the CA (such as GoDaddy) response but you would still have to export the result to a .pfx file to install it on a different server.

If you import a .crt file from GoDaddy (or any other CA) on a server that did not generate the CSR, it will install but you will not have a private key associated with it and you would not be able to use it for SSL. Notice I said import not complete request. If there is no pending request you cannot complete it in IIS.

In your original post you said you were “…trying to import these certificates into a different server to the one that generated the certificate request.”  You can accomplish that by finishing the request on the server where you generated the CSR then export them to .pfx, move to the appropriate server and install. Don’t forget to bind in IIS after installing.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:Delmiroc
ID: 36948309
if there are no pending requests in IIS for certificates you can still import an existing one from the local stores. I believe that's what I have done in the past.. it has been many years ;-D and we haven't had any issues with SSL certs that I have noticed.. am I missing something or forgetting something?
0
 
LVL 8

Accepted Solution

by:
Shmoid earned 2000 total points
ID: 36949783
Yes, you're missing the private key!  :-)

Seriously though, you are correct that you can import a certificate using the certificate snap-in but that does not mean that it will have a private key associated with it, nor will that make it work for SSL. The only way what you described would work is if you already had a private key on a server that was paired to the certificate you are importing. For example ,when you renew an existing key.

In a Windows environment the only way you are going to get a private key and matching certificate on a server that did not generate the CSR is to get it in a .pfx file and then import/install it on the other server.
0
 
LVL 1

Author Closing Comment

by:Delmiroc
ID: 37070655
Thanks
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month9 days, 6 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question