views:

496

answers:

1

Hi guys,

Two simple questions about makecert command,

  1. Suppose I am using the following command,

makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine

my confusion is, will private key automatically registered somewhere in cerficate manager or the private key will just be in file root.pvk?

  1. Suppose I am using the following command,

makecert -r -pe -n "CN=XYZ Company" -ss my, my confusion is -- after executing this command, where is the private key stored (since I did not specify -pe option, the private key is not embedded in the certficate, but where it is)?

regards, George

+1  A: 

Even without the -pe (enable private key export) the private key should still be stored in the certificate store you have specified. In your example that store is the LocalMachine physical store and the TrustedRoot logical store. You can check by opening up mmc (start->run->mmc) and adding the Certificates snap in and selecting "Computer Account" as the store.

An even simpler test is:

makecert -sk myKey -n "CN=test" -ss my -pe

Then start->run->certmgr.msc (which opens the certificate manager for the local user store) and check the Personal certificate store. In there you should have a certificate called test with a private key attached.

You can then right click the certificate and export it to a .pfx file to get a single file that has the certifcate AND the private key embedded.

Edit: The -pe option stands for private key exportable. If -pe is used you will have the option of exporting the key from certmgr with the private key. If you don't use -pe then you will not get the option of exporting the private key (my comment below should say "without -pe" not "with -pe").

sipwiz
Cool, sipwiz! I have tried to run your command with -pe, and in the cert manager, it is still displayed as a private key is attached with certificate. I am very confused what is the function of using -pe? Differences of using and without using this option?
George2
If you right click on the cert and select export you will be able to include the private key. If you create the cert with -pe you don't get that option.
sipwiz
Sorry, sipwiz, another issue. For exporting to pfx file, I can understand usage scenario of exporting certificate could be letting others intall it as a trusted publisher. But what is the usage scenario of exporting provate key together?
George2
Thanks sipwiz, from your help, I think the answer to my 1st question is, private key will be embedded in both certificate and in file root.pvk, correct? And the answer to my second question is private key will be embedded in certificate, correct?
George2
If you want to be able to use the certificate for anything useful such as authentication on an SSL stream you must have access to the private key. The .pfx file is not an X509 certificate format but is a container format that can hold certificates and keys making it easy to transport them around.
sipwiz
Thanks sipwiz, in theory private/public key and certificate is enough to so SSL authentication. So in theory, a certificate with exportable private key should contains all things we need. Could you explain moer abuot what do you mean benefit like "transport them around" please?
George2
sipwiz
Hi sipwiz, I execute command makecert -sk XYZ -n "CN=XYZ Company" testXYZ.cer, I expect there could be a key container called "XYZ" in certificate manager snap-in, but after executing, there is no XYZ found. Any ideas?
George2
Thanks sipwiz, I think making private key exportable in certificate and copy certificate to another computer, then import to personal folder is also very efficient. I want to learn why using pfx file to do exchange is better? :-)
George2
I expect the sk parameter can only specify a pre-existing ceritificate store. When you use "-sk my" it puts the certificate in the personal store and I'd recommend using that one unless there is a specific reason not to.
sipwiz
Thanks sipwiz, 1. do you have any documents mentioning -sk can only work with existing key container? 2. I want to know why using pfx file to exchange is better than using certificate itself -- certificate contains public/private key, should be able to achieve the purpose enough.
George2
No I don't have any docs for -sk, the main reference I know of is the makecert reference on MSDN. The X509 certificate files produced by makecert DON'T contain private keys that's why you need to export to a .pfx file which is just another certificate format anyway.
sipwiz
Thanks sipwiz, if we assign -pe option, we could export private key from certiticate. But why you say "DON'T contain private keys"? I think if we assign -pe option, then we could export private key from certificate, no need to use pfx file any more? Any comments?
George2
The -pe option lets you export the private key from the Windows certificate store. There is no way with makecert, with or without -pe, to get the private key and cert into a single file. If you want the priv. key and cert in the same file using -pe and exporting from cert store is the best way.
sipwiz
http://msdn.microsoft.com/en-us/magazine/cc163454.aspx
sipwiz
Cool, sipwiz! I want to learn in what situations certificate with exportable private key is not enough, and we have to need the pfx file?
George2