[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Requesting private key file from web certificate

Posted on 2016-11-10
4
Medium Priority
?
72 Views
Last Modified: 2016-11-10
I'm trying to apply a certificate to the admin interface on my firewall so that it isn't nagging me about it not being trusted.  I installed certificate services on a Server 2012R2 server and created a web cert request and downloaded the newly created cert.  When I attempted to apply it to my firewall it's asking for the private key file, I dont' figure out how to obtain this?
0
Comment
Question by:bsjj2727
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 41882580
When you generated the certificate request -- that creates two parts:
(1) the request file (public key), which gets submitted to the CA for it's signature.
(2) the private key, which on a windows machine using the certreq tool is normally stored in the certificate store for the user or machine.

If you've received a file back from the CA, you have a signed public key which still needs to be married up to the private key.  On the machine you used to generate the request, use the same tool to 'accept' the signed file you got back from the CA.
(If you used the certificate snap-in for MMC, use that... if you used certreq, use that tool with the "-accept" option pointed to the file you got back.  If you used IIS and obtained a domain certificate... it'll have already married up the components.)

Once you have that, you can export the certificate back out of the certificate store, and include the private key in the export.
(For this, I use MMC, then open the snap-in for Certificates -- and either User or Machine (depending on how you requested the cert) -- Personal/Certificates... select the certificate, right-click 'all tasks/Export'.)
If you need to then split out the private key from the certificate file, I use OpenSSL.  If you use that tool, I believe the relevant command is:
openssl pkcs12 -in ExportedCertFile.pfx -out PrivateKey.pem -nodes

Open in new window

0
 

Author Comment

by:bsjj2727
ID: 41882593
I'm running server 2012 R2, as the CA, on that server I hit servername/certsrv and requested a certificate and selected the create and submit a request to this CA, I used the Web Server template and filled in all the necessary info, the mark keys as exportable was greyed out.  I downloaded and installed that cert on the actual CA since thats where I generated the request from.  I launched certificates from the MMC and selected the new cert and right clicked and selected export.  The option for Yes, export the private key is greyed out, any ideas on this?
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 2000 total points
ID: 41882615
Is it possible someone has altered the 'Web Server' template?  I suspect the request handling for that template has the 'Allow private key to be exported' unchecked.  That'll be a problem if you try later to use a certificate from that template for IIS (often IIS will have problems using the certificate when the certificate is created such that the private key can't be exported.)

I'd suggest copying the template, and on the request handling tab make certain 'allow private key to be exported' is checked.  Then go thru the steps you went thru before to make a new certificate, making certain you select the option to export the private key.
0
 

Author Closing Comment

by:bsjj2727
ID: 41882875
Thank you Rich, that was the issue, appreciate the help
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question