[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Requesting private key file from web certificate

Posted on 2016-11-10
4
Medium Priority
?
78 Views
Last Modified: 2016-11-10
I'm trying to apply a certificate to the admin interface on my firewall so that it isn't nagging me about it not being trusted.  I installed certificate services on a Server 2012R2 server and created a web cert request and downloaded the newly created cert.  When I attempted to apply it to my firewall it's asking for the private key file, I dont' figure out how to obtain this?
0
Comment
Question by:bsjj2727
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 41882580
When you generated the certificate request -- that creates two parts:
(1) the request file (public key), which gets submitted to the CA for it's signature.
(2) the private key, which on a windows machine using the certreq tool is normally stored in the certificate store for the user or machine.

If you've received a file back from the CA, you have a signed public key which still needs to be married up to the private key.  On the machine you used to generate the request, use the same tool to 'accept' the signed file you got back from the CA.
(If you used the certificate snap-in for MMC, use that... if you used certreq, use that tool with the "-accept" option pointed to the file you got back.  If you used IIS and obtained a domain certificate... it'll have already married up the components.)

Once you have that, you can export the certificate back out of the certificate store, and include the private key in the export.
(For this, I use MMC, then open the snap-in for Certificates -- and either User or Machine (depending on how you requested the cert) -- Personal/Certificates... select the certificate, right-click 'all tasks/Export'.)
If you need to then split out the private key from the certificate file, I use OpenSSL.  If you use that tool, I believe the relevant command is:
openssl pkcs12 -in ExportedCertFile.pfx -out PrivateKey.pem -nodes

Open in new window

0
 

Author Comment

by:bsjj2727
ID: 41882593
I'm running server 2012 R2, as the CA, on that server I hit servername/certsrv and requested a certificate and selected the create and submit a request to this CA, I used the Web Server template and filled in all the necessary info, the mark keys as exportable was greyed out.  I downloaded and installed that cert on the actual CA since thats where I generated the request from.  I launched certificates from the MMC and selected the new cert and right clicked and selected export.  The option for Yes, export the private key is greyed out, any ideas on this?
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 2000 total points
ID: 41882615
Is it possible someone has altered the 'Web Server' template?  I suspect the request handling for that template has the 'Allow private key to be exported' unchecked.  That'll be a problem if you try later to use a certificate from that template for IIS (often IIS will have problems using the certificate when the certificate is created such that the private key can't be exported.)

I'd suggest copying the template, and on the request handling tab make certain 'allow private key to be exported' is checked.  Then go thru the steps you went thru before to make a new certificate, making certain you select the option to export the private key.
0
 

Author Closing Comment

by:bsjj2727
ID: 41882875
Thank you Rich, that was the issue, appreciate the help
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question