[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Distributing a private key

Posted on 2014-02-19
Medium Priority
Last Modified: 2014-02-25
Dear Experts,
I've been given a task I am not very knowledgeable about and hope you can provide some insight.

User's OS: Windows (Win7 & Win8; both 32 and 64 bit)
I have an application (VB6) that runs locally on users' systems. There are approximately 30 users on different systems in different locations. The distribution of the app is highly controlled and protected.

The app sends XML strings directly to a Receiver's site using HTTPS.post.

The task is to embed a signature in the HTTPS header so the Receiver can verify the message came from our company (any one of the 30 users). The Receiver is not interested in using Public/Private keys and our transmission to them does not go thru a server at any point.

Using makecert, I've created a local X509 certificate with a private key and have completed the work to generate the SHA1 hash to create the signature.

Here is where I am stuck - because I am very new to certificates, I don't understand how to get that private key to the app users.

My thought was to distribute the .cer file with the app setup (the code looks for the certificate in a specific directory) - then also snail mail the .cer to the Receiver.

Will this work?
Doesn't the private key have to be the same on all systems (for the signature to be the same?)
Am I way off base?

Thank you
Question by:k heitz
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 29

Expert Comment

ID: 39870684
In order to give users the private key you will have to export to pfx you can do so with certutil:

Certutil.exe -p <Password> –exportpfx Thumbprintofcert c:\pfxfile.pfx

Once you have done the above you can simply script out the copy and install of the cert to the users store this can be bundled as a part of installing your app, so when the user runs your app you can point to the path with the pfx and do an install e.g :

certutil –f –p <password> –importpfx C:\pfxfile.pfx

Once you are installing
A flow such as above should work, since the private key will be exported to the pfx file.
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39870888
Here's an overview of how the general process should work; compare to your current approach.

Proper Implementation


Alice wants to send a message to Bob and provide confidentiality, integrity, proof of origin and proof of receipt.


To protect the secrecy of her message contents, she uses a symmetric cipher to encrypt it. For that she uses a symmetric key. This produces a ciphertext message.


To protect the accuracy of the message, she uses a hashing algorithm that condenses the arbitrary-length message to a fixed-size message digest value.


To prove the message actually came from her, Alice signs the message by encrypting the hash value with her private key. The sum of the message digest encrypted with Alice's private key results in a digital signature.


This digital signature is then appended to the bottom of the symmetrically encrypted message. Now in order for Bob to read, prove the origin, and check the accuracy of the message, he must reverse all of the encryption done above.


To read the message, Bob needs a copy of the symmetric key. Alice encrypts it using asymmetric encryption and encrypts the symmetric key with Bob's public key, producing a ciphertext key.


Bob decrypts the ciphertext key with his private key to give him his copy of the symmetric key.


Bob uses the symmetric key to decrypt the message with that key and read it.


Bob decrypts Alice's digital signature using Alice's public key. Once the decryption process is complete, he is left with the message digest.


But, he has yet to prove the integrity of the message or the proof of origin. He must prove the message digest value is correct. To do this, Bob must rehash the message that he has received and decrypted.


If the message digest that he generates from the message matches the message digest that he decrypted from Alice's digital signature, then he has proof of integrity and proof of origin.


To prove that he received the actual message Alice sent, Bob re-encrypts the message digest with his private key, which will result in his digital signature.


Bob sends his digital signature back to Alice.


Alice decrypts Bob's digital signature using his public key to produce the message digest.


She compares the message digest she just received to the message digest she originally generated. If these two message digests match, then she has proven that her message was received by Bob (proof of receipt) in its correct format (proof of integrity).

Expert Comment

ID: 39872485
I would advise you to look at deploying a web enrolment service so that clients can request certificates, and enrol them once you approve their requests.
I.e. you shall need the following roles deployed and available on the Internet or other network where all your clients have access:

ADCS - Certificate Enrollment Web Service
ADCS - Certificate Enrollment Policy Web Service

Please read up on both - you can start right from the Add Role Services Wizard.
Once deployed, give URI of the Policy Service to your clients along with instructions how to set things up.
Each computer shall have it's own certificate, allowing you to revoke it in case of compromise.
==>Please design, deploy and test CRL web service before doing anything else, otherwise you shall have no means of stopping the compromised computers from connecting (short of shutting down the solution!) Make sure your CA works well with CRL service before issuing any certs.
==>Also make sure the template you use specifies non-exportable enrolment. This will stop users from exporting private keys from one PC into another.

Clients will need credentials in your domain, you could also use one shared user/password pair - one user may have many certs issued to him.
Make sure that your CA requires your approval for every request. even renewals.
Once you see new request incoming you could call the user/company to verify correct enrolment, and then approve. The rest is automatic, I mean renewal request coming your way every year or period configured.

This is a free, scalable solution.
The benefit is you do not email private keys - everything happens inside SSL tunnel.
Another benefit is users only configure it once, for lifetime of your solution.

.CER files do not contain private keys, .P7B do.
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?


Author Comment

by:k heitz
ID: 39873875
Hi bcraig;

I've determined this approach will work for me. I have run into some questions however.

I've been able to export the thumbprint a .pfx.

My first attempts failed (not found); so I used certutil to -addstore MY <cer path>. After doing so, it was successful.

In the dos window however, right above 'success' it reported:
'cannot find the certificate and private key for decryption' (i've attached a screen shot)

In your instructions you said:
"Once you have done the above you can simply script out the copy and install of the cert to the users store this can be bundled as a part of installing your app,"

I'm unfortunately ignorant in this area. is it possible to clarify? I'm not sure what you mean by 'script out the copy' (the pfx yes?).
'and install the cert to the users store' -

Will I be able to include the .pfx in my build; and run the
certutil –f –p <password> –importpfx C:\pfxfile.pfx command at the end of the install (vs. when the app itself runs)

Also - I don't know how to install it in the user's store. If I import as above and run certutil -addstore MY imported.cer will that do it?

I'm sorry to be so green at this.

Thank you

Once you are installing
A flow such as above should work, since the private key will be exported to the pfx file.
LVL 29

Accepted Solution

becraig earned 2000 total points
ID: 39874802
In order to export the pfx the cert must be installed (with private key marked as exportable on the machien you do the first step from)

Since this will be bundled in a build I think this will be secure as the pfx cannot be decrypted without the password.

Once you install the certificate on the machine you are first exporting from you can get the thumbprint by opening the cert - clicking on the details tab and  scroll down to thumbprint and copy the thumbprint.

Then proceed to export the pfx file using certutil
Certutil.exe -p <Password> –exportpfx Thumbprint c:\pfxfile.pfx

At this stage you need to embed the pfx file in your app and add a line to do the import from the pfx file when expanded with your application install:
Have some aspect of your install (maybe when staging the install) run the following command.
certutil -f -user -p [password] -importpfx  c:\path-your-app-expands-the -pfx-file-to\file.pfx

This will install the cert with private key to the user's store.

You can then have a command in your app installer delete the pfx file from the local computer and proceed to install your application.

Author Comment

by:k heitz
ID: 39884498
Hi becraig;
This is all great stuff and I feel I'm 99.5% of the the way there! Thank you so much!

Here's my final (I hope) brick wall.

After exporting the .cer to a .pfx and importing the .pfx ... what is the path of the imported .cer file? I've searched my system and cannot find it.

I ask because my vb.net code is as follows:

 Public Function GetSignature(ByRef XMLString As String) As String
        ' The path to the certificate.
        Dim Certificate As String = "c:\[path]\[filename].cer"
        ' Load the certificate into an X509Certificate object.
        Dim cert As New System.Security.Cryptography.X509Certificates.X509Certificate2(Certificate)

Does that make sense?
Thank you again!
LVL 29

Expert Comment

ID: 39884505
Ok so the problem here is that when the pfx is imported it is imported into the certificate store.  At this stage of your code what are you attempting to do next ?

Are you attempting to validate the certificate once it's installed ?

Author Comment

by:k heitz
ID: 39884586
I'm attempting to use the certificate's private key to apply SHA1 hash & create a digital signature. Full routine below:

    Public Function GetSignature(ByRef XMLString As String) As String
        ' The path to the certificate.
        Dim Certificate As String = "c:\[path to cert]\[filename].cer"
        Dim ByteConverter As New ASCIIEncoding
        Dim strDataString As String = XMLString

        'create byte arrays to hold orig & sigstring
        Dim OrigData As Byte() = ByteConverter.GetBytes(strDataString)
        Dim signedData() As Byte

        ' Load the certificate into an X509Certificate object.
        Dim cert As New System.Security.Cryptography.X509Certificates.X509Certificate2(Certificate)

        ' Create a new instance of the RSACryptoServiceProvider class  
        ' and automatically create a new key-pair.
        Dim RSAalg As New RSACryptoServiceProvider

        ' Export the key information to an RSAParameters object.
        ' You must pass true to export the private key for signing.
        Dim Key As RSAParameters = RSAalg.ExportParameters(True)

        ' Hash and sign the data.
        signedData = HashAndSignBytes(OrigData, Key)

        Dim sigString = Convert.ToBase64String(signedData)

        ' Verify the data and display the result to the  
        ' console.
        If VerifySignedHash(OrigData, signedData, Key) Then
            'MessageBox.Show("The data was verified.", "Verification", MessageBoxButtons.OK)
            ' Console.WriteLine("The data was verified.")
            GetSignature = sigString
            GetSignature = "The data does not match the signature."
            'Console.WriteLine("The data does not match the signature.")
        End If

        ' Display the value to the console.
        'GetSignature = sigString
    End Function

Author Comment

by:k heitz
ID: 39887486
I've requested that this question be closed as follows:

Accepted answer: 0 points for klheitz's comment #a39884586

for the following reason:

Very helpful - and patient! beCraig helped clarify my misunderstanding and offered excellent suggestions.

Author Closing Comment

by:k heitz
ID: 39887488
(i might have done this wrong before - i think I accepted my own note as the solution and I didn't mean to)
beCraig's solution worked great. Thank you very much!

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
What we learned in Webroot's webinar on multi-vector protection.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question