Solved

Requesting private key file from web certificate

Posted on 2016-11-10
4
15 Views
Last Modified: 2016-11-10
I'm trying to apply a certificate to the admin interface on my firewall so that it isn't nagging me about it not being trusted.  I installed certificate services on a Server 2012R2 server and created a web cert request and downloaded the newly created cert.  When I attempted to apply it to my firewall it's asking for the private key file, I dont' figure out how to obtain this?
0
Comment
Question by:bsjj2727
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
When you generated the certificate request -- that creates two parts:
(1) the request file (public key), which gets submitted to the CA for it's signature.
(2) the private key, which on a windows machine using the certreq tool is normally stored in the certificate store for the user or machine.

If you've received a file back from the CA, you have a signed public key which still needs to be married up to the private key.  On the machine you used to generate the request, use the same tool to 'accept' the signed file you got back from the CA.
(If you used the certificate snap-in for MMC, use that... if you used certreq, use that tool with the "-accept" option pointed to the file you got back.  If you used IIS and obtained a domain certificate... it'll have already married up the components.)

Once you have that, you can export the certificate back out of the certificate store, and include the private key in the export.
(For this, I use MMC, then open the snap-in for Certificates -- and either User or Machine (depending on how you requested the cert) -- Personal/Certificates... select the certificate, right-click 'all tasks/Export'.)
If you need to then split out the private key from the certificate file, I use OpenSSL.  If you use that tool, I believe the relevant command is:
openssl pkcs12 -in ExportedCertFile.pfx -out PrivateKey.pem -nodes

Open in new window

0
 

Author Comment

by:bsjj2727
Comment Utility
I'm running server 2012 R2, as the CA, on that server I hit servername/certsrv and requested a certificate and selected the create and submit a request to this CA, I used the Web Server template and filled in all the necessary info, the mark keys as exportable was greyed out.  I downloaded and installed that cert on the actual CA since thats where I generated the request from.  I launched certificates from the MMC and selected the new cert and right clicked and selected export.  The option for Yes, export the private key is greyed out, any ideas on this?
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
Comment Utility
Is it possible someone has altered the 'Web Server' template?  I suspect the request handling for that template has the 'Allow private key to be exported' unchecked.  That'll be a problem if you try later to use a certificate from that template for IIS (often IIS will have problems using the certificate when the certificate is created such that the private key can't be exported.)

I'd suggest copying the template, and on the request handling tab make certain 'allow private key to be exported' is checked.  Then go thru the steps you went thru before to make a new certificate, making certain you select the option to export the private key.
0
 

Author Closing Comment

by:bsjj2727
Comment Utility
Thank you Rich, that was the issue, appreciate the help
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Know what services you can and cannot, should and should not combine on your server.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now