Solved

Requesting private key file from web certificate

Posted on 2016-11-10
4
28 Views
Last Modified: 2016-11-10
I'm trying to apply a certificate to the admin interface on my firewall so that it isn't nagging me about it not being trusted.  I installed certificate services on a Server 2012R2 server and created a web cert request and downloaded the newly created cert.  When I attempted to apply it to my firewall it's asking for the private key file, I dont' figure out how to obtain this?
0
Comment
Question by:bsjj2727
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 41882580
When you generated the certificate request -- that creates two parts:
(1) the request file (public key), which gets submitted to the CA for it's signature.
(2) the private key, which on a windows machine using the certreq tool is normally stored in the certificate store for the user or machine.

If you've received a file back from the CA, you have a signed public key which still needs to be married up to the private key.  On the machine you used to generate the request, use the same tool to 'accept' the signed file you got back from the CA.
(If you used the certificate snap-in for MMC, use that... if you used certreq, use that tool with the "-accept" option pointed to the file you got back.  If you used IIS and obtained a domain certificate... it'll have already married up the components.)

Once you have that, you can export the certificate back out of the certificate store, and include the private key in the export.
(For this, I use MMC, then open the snap-in for Certificates -- and either User or Machine (depending on how you requested the cert) -- Personal/Certificates... select the certificate, right-click 'all tasks/Export'.)
If you need to then split out the private key from the certificate file, I use OpenSSL.  If you use that tool, I believe the relevant command is:
openssl pkcs12 -in ExportedCertFile.pfx -out PrivateKey.pem -nodes

Open in new window

0
 

Author Comment

by:bsjj2727
ID: 41882593
I'm running server 2012 R2, as the CA, on that server I hit servername/certsrv and requested a certificate and selected the create and submit a request to this CA, I used the Web Server template and filled in all the necessary info, the mark keys as exportable was greyed out.  I downloaded and installed that cert on the actual CA since thats where I generated the request from.  I launched certificates from the MMC and selected the new cert and right clicked and selected export.  The option for Yes, export the private key is greyed out, any ideas on this?
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 41882615
Is it possible someone has altered the 'Web Server' template?  I suspect the request handling for that template has the 'Allow private key to be exported' unchecked.  That'll be a problem if you try later to use a certificate from that template for IIS (often IIS will have problems using the certificate when the certificate is created such that the private key can't be exported.)

I'd suggest copying the template, and on the request handling tab make certain 'allow private key to be exported' is checked.  Then go thru the steps you went thru before to make a new certificate, making certain you select the option to export the private key.
0
 

Author Closing Comment

by:bsjj2727
ID: 41882875
Thank you Rich, that was the issue, appreciate the help
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
What to do when Windows Update is not working correctly? What tools can I use to detect the cause of the malfunction problem? What does this numeric error code mean? These and other questions that you have been asking in the past are answered here (…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now