Distributing a private key

Posted on 2014-02-19
Last Modified: 2014-02-25
Dear Experts,
I've been given a task I am not very knowledgeable about and hope you can provide some insight.

User's OS: Windows (Win7 & Win8; both 32 and 64 bit)
I have an application (VB6) that runs locally on users' systems. There are approximately 30 users on different systems in different locations. The distribution of the app is highly controlled and protected.

The app sends XML strings directly to a Receiver's site using

The task is to embed a signature in the HTTPS header so the Receiver can verify the message came from our company (any one of the 30 users). The Receiver is not interested in using Public/Private keys and our transmission to them does not go thru a server at any point.

Using makecert, I've created a local X509 certificate with a private key and have completed the work to generate the SHA1 hash to create the signature.

Here is where I am stuck - because I am very new to certificates, I don't understand how to get that private key to the app users.

My thought was to distribute the .cer file with the app setup (the code looks for the certificate in a specific directory) - then also snail mail the .cer to the Receiver.

Will this work?
Doesn't the private key have to be the same on all systems (for the signature to be the same?)
Am I way off base?

Thank you
Question by:klheitz
LVL 29

Expert Comment

ID: 39870684
In order to give users the private key you will have to export to pfx you can do so with certutil:

Certutil.exe -p <Password> –exportpfx Thumbprintofcert c:\pfxfile.pfx

Once you have done the above you can simply script out the copy and install of the cert to the users store this can be bundled as a part of installing your app, so when the user runs your app you can point to the path with the pfx and do an install e.g :

certutil –f –p <password> –importpfx C:\pfxfile.pfx

Once you are installing
A flow such as above should work, since the private key will be exported to the pfx file.
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39870888
Here's an overview of how the general process should work; compare to your current approach.

Proper Implementation


Alice wants to send a message to Bob and provide confidentiality, integrity, proof of origin and proof of receipt.


To protect the secrecy of her message contents, she uses a symmetric cipher to encrypt it. For that she uses a symmetric key. This produces a ciphertext message.


To protect the accuracy of the message, she uses a hashing algorithm that condenses the arbitrary-length message to a fixed-size message digest value.


To prove the message actually came from her, Alice signs the message by encrypting the hash value with her private key. The sum of the message digest encrypted with Alice's private key results in a digital signature.


This digital signature is then appended to the bottom of the symmetrically encrypted message. Now in order for Bob to read, prove the origin, and check the accuracy of the message, he must reverse all of the encryption done above.


To read the message, Bob needs a copy of the symmetric key. Alice encrypts it using asymmetric encryption and encrypts the symmetric key with Bob's public key, producing a ciphertext key.


Bob decrypts the ciphertext key with his private key to give him his copy of the symmetric key.


Bob uses the symmetric key to decrypt the message with that key and read it.


Bob decrypts Alice's digital signature using Alice's public key. Once the decryption process is complete, he is left with the message digest.


But, he has yet to prove the integrity of the message or the proof of origin. He must prove the message digest value is correct. To do this, Bob must rehash the message that he has received and decrypted.


If the message digest that he generates from the message matches the message digest that he decrypted from Alice's digital signature, then he has proof of integrity and proof of origin.


To prove that he received the actual message Alice sent, Bob re-encrypts the message digest with his private key, which will result in his digital signature.


Bob sends his digital signature back to Alice.


Alice decrypts Bob's digital signature using his public key to produce the message digest.


She compares the message digest she just received to the message digest she originally generated. If these two message digests match, then she has proven that her message was received by Bob (proof of receipt) in its correct format (proof of integrity).

Expert Comment

ID: 39872485
I would advise you to look at deploying a web enrolment service so that clients can request certificates, and enrol them once you approve their requests.
I.e. you shall need the following roles deployed and available on the Internet or other network where all your clients have access:

ADCS - Certificate Enrollment Web Service
ADCS - Certificate Enrollment Policy Web Service

Please read up on both - you can start right from the Add Role Services Wizard.
Once deployed, give URI of the Policy Service to your clients along with instructions how to set things up.
Each computer shall have it's own certificate, allowing you to revoke it in case of compromise.
==>Please design, deploy and test CRL web service before doing anything else, otherwise you shall have no means of stopping the compromised computers from connecting (short of shutting down the solution!) Make sure your CA works well with CRL service before issuing any certs.
==>Also make sure the template you use specifies non-exportable enrolment. This will stop users from exporting private keys from one PC into another.

Clients will need credentials in your domain, you could also use one shared user/password pair - one user may have many certs issued to him.
Make sure that your CA requires your approval for every request. even renewals.
Once you see new request incoming you could call the user/company to verify correct enrolment, and then approve. The rest is automatic, I mean renewal request coming your way every year or period configured.

This is a free, scalable solution.
The benefit is you do not email private keys - everything happens inside SSL tunnel.
Another benefit is users only configure it once, for lifetime of your solution.

.CER files do not contain private keys, .P7B do.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39873875
Hi bcraig;

I've determined this approach will work for me. I have run into some questions however.

I've been able to export the thumbprint a .pfx.

My first attempts failed (not found); so I used certutil to -addstore MY <cer path>. After doing so, it was successful.

In the dos window however, right above 'success' it reported:
'cannot find the certificate and private key for decryption' (i've attached a screen shot)

In your instructions you said:
"Once you have done the above you can simply script out the copy and install of the cert to the users store this can be bundled as a part of installing your app,"

I'm unfortunately ignorant in this area. is it possible to clarify? I'm not sure what you mean by 'script out the copy' (the pfx yes?).
'and install the cert to the users store' -

Will I be able to include the .pfx in my build; and run the
certutil –f –p <password> –importpfx C:\pfxfile.pfx command at the end of the install (vs. when the app itself runs)

Also - I don't know how to install it in the user's store. If I import as above and run certutil -addstore MY imported.cer will that do it?

I'm sorry to be so green at this.

Thank you

Once you are installing
A flow such as above should work, since the private key will be exported to the pfx file.
LVL 29

Accepted Solution

becraig earned 500 total points
ID: 39874802
In order to export the pfx the cert must be installed (with private key marked as exportable on the machien you do the first step from)

Since this will be bundled in a build I think this will be secure as the pfx cannot be decrypted without the password.

Once you install the certificate on the machine you are first exporting from you can get the thumbprint by opening the cert - clicking on the details tab and  scroll down to thumbprint and copy the thumbprint.

Then proceed to export the pfx file using certutil
Certutil.exe -p <Password> –exportpfx Thumbprint c:\pfxfile.pfx

At this stage you need to embed the pfx file in your app and add a line to do the import from the pfx file when expanded with your application install:
Have some aspect of your install (maybe when staging the install) run the following command.
certutil -f -user -p [password] -importpfx  c:\path-your-app-expands-the -pfx-file-to\file.pfx

This will install the cert with private key to the user's store.

You can then have a command in your app installer delete the pfx file from the local computer and proceed to install your application.

Author Comment

ID: 39884498
Hi becraig;
This is all great stuff and I feel I'm 99.5% of the the way there! Thank you so much!

Here's my final (I hope) brick wall.

After exporting the .cer to a .pfx and importing the .pfx ... what is the path of the imported .cer file? I've searched my system and cannot find it.

I ask because my code is as follows:

 Public Function GetSignature(ByRef XMLString As String) As String
        ' The path to the certificate.
        Dim Certificate As String = "c:\[path]\[filename].cer"
        ' Load the certificate into an X509Certificate object.
        Dim cert As New System.Security.Cryptography.X509Certificates.X509Certificate2(Certificate)

Does that make sense?
Thank you again!
LVL 29

Expert Comment

ID: 39884505
Ok so the problem here is that when the pfx is imported it is imported into the certificate store.  At this stage of your code what are you attempting to do next ?

Are you attempting to validate the certificate once it's installed ?

Author Comment

ID: 39884586
I'm attempting to use the certificate's private key to apply SHA1 hash & create a digital signature. Full routine below:

    Public Function GetSignature(ByRef XMLString As String) As String
        ' The path to the certificate.
        Dim Certificate As String = "c:\[path to cert]\[filename].cer"
        Dim ByteConverter As New ASCIIEncoding
        Dim strDataString As String = XMLString

        'create byte arrays to hold orig & sigstring
        Dim OrigData As Byte() = ByteConverter.GetBytes(strDataString)
        Dim signedData() As Byte

        ' Load the certificate into an X509Certificate object.
        Dim cert As New System.Security.Cryptography.X509Certificates.X509Certificate2(Certificate)

        ' Create a new instance of the RSACryptoServiceProvider class  
        ' and automatically create a new key-pair.
        Dim RSAalg As New RSACryptoServiceProvider

        ' Export the key information to an RSAParameters object.
        ' You must pass true to export the private key for signing.
        Dim Key As RSAParameters = RSAalg.ExportParameters(True)

        ' Hash and sign the data.
        signedData = HashAndSignBytes(OrigData, Key)

        Dim sigString = Convert.ToBase64String(signedData)

        ' Verify the data and display the result to the  
        ' console.
        If VerifySignedHash(OrigData, signedData, Key) Then
            'MessageBox.Show("The data was verified.", "Verification", MessageBoxButtons.OK)
            ' Console.WriteLine("The data was verified.")
            GetSignature = sigString
            GetSignature = "The data does not match the signature."
            'Console.WriteLine("The data does not match the signature.")
        End If

        ' Display the value to the console.
        'GetSignature = sigString
    End Function

Author Comment

ID: 39887486
I've requested that this question be closed as follows:

Accepted answer: 0 points for klheitz's comment #a39884586

for the following reason:

Very helpful - and patient! beCraig helped clarify my misunderstanding and offered excellent suggestions.

Author Closing Comment

ID: 39887488
(i might have done this wrong before - i think I accepted my own note as the solution and I didn't mean to)
beCraig's solution worked great. Thank you very much!

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

761 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question