Requesting private key file from web certificate

Posted on 2016-11-10
Medium Priority
Last Modified: 2016-11-10
I'm trying to apply a certificate to the admin interface on my firewall so that it isn't nagging me about it not being trusted.  I installed certificate services on a Server 2012R2 server and created a web cert request and downloaded the newly created cert.  When I attempted to apply it to my firewall it's asking for the private key file, I dont' figure out how to obtain this?
Question by:bsjj2727
  • 2
  • 2
LVL 31

Expert Comment

by:Rich Weissler
ID: 41882580
When you generated the certificate request -- that creates two parts:
(1) the request file (public key), which gets submitted to the CA for it's signature.
(2) the private key, which on a windows machine using the certreq tool is normally stored in the certificate store for the user or machine.

If you've received a file back from the CA, you have a signed public key which still needs to be married up to the private key.  On the machine you used to generate the request, use the same tool to 'accept' the signed file you got back from the CA.
(If you used the certificate snap-in for MMC, use that... if you used certreq, use that tool with the "-accept" option pointed to the file you got back.  If you used IIS and obtained a domain certificate... it'll have already married up the components.)

Once you have that, you can export the certificate back out of the certificate store, and include the private key in the export.
(For this, I use MMC, then open the snap-in for Certificates -- and either User or Machine (depending on how you requested the cert) -- Personal/Certificates... select the certificate, right-click 'all tasks/Export'.)
If you need to then split out the private key from the certificate file, I use OpenSSL.  If you use that tool, I believe the relevant command is:
openssl pkcs12 -in ExportedCertFile.pfx -out PrivateKey.pem -nodes

Open in new window


Author Comment

ID: 41882593
I'm running server 2012 R2, as the CA, on that server I hit servername/certsrv and requested a certificate and selected the create and submit a request to this CA, I used the Web Server template and filled in all the necessary info, the mark keys as exportable was greyed out.  I downloaded and installed that cert on the actual CA since thats where I generated the request from.  I launched certificates from the MMC and selected the new cert and right clicked and selected export.  The option for Yes, export the private key is greyed out, any ideas on this?
LVL 31

Accepted Solution

Rich Weissler earned 2000 total points
ID: 41882615
Is it possible someone has altered the 'Web Server' template?  I suspect the request handling for that template has the 'Allow private key to be exported' unchecked.  That'll be a problem if you try later to use a certificate from that template for IIS (often IIS will have problems using the certificate when the certificate is created such that the private key can't be exported.)

I'd suggest copying the template, and on the request handling tab make certain 'allow private key to be exported' is checked.  Then go thru the steps you went thru before to make a new certificate, making certain you select the option to export the private key.

Author Closing Comment

ID: 41882875
Thank you Rich, that was the issue, appreciate the help

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

You have missed a phone call. The number looks like it belongs to the bunch of numbers which your company uses. How to find out who has just called you?
The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, it lacks item level filtering. This article details my process of implementing firewall-as-code to reduce GPO bloat.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question