ansaurus

Question

where is private key?

Answer 1

+1 A:

Even without the -pe (enable private key export) the private key should still be stored in the certificate store you have specified. In your example that store is the LocalMachine physical store and the TrustedRoot logical store. You can check by opening up mmc (start->run->mmc) and adding the Certificates snap in and selecting "Computer Account" as the store.

An even simpler test is:

makecert -sk myKey -n "CN=test" -ss my -pe

Then start->run->certmgr.msc (which opens the certificate manager for the local user store) and check the Personal certificate store. In there you should have a certificate called test with a private key attached.

You can then right click the certificate and export it to a .pfx file to get a single file that has the certifcate AND the private key embedded.

Edit: The -pe option stands for private key exportable. If -pe is used you will have the option of exporting the key from certmgr with the private key. If you don't use -pe then you will not get the option of exporting the private key (my comment below should say "without -pe" not "with -pe").

sipwiz 2009-03-18 12:15:45

Cool, sipwiz! I have tried to run your command with -pe, and in the cert manager, it is still displayed as a private key is attached with certificate. I am very confused what is the function of using -pe? Differences of using and without using this option?

George2 2009-03-18 13:52:22

If you right click on the cert and select export you will be able to include the private key. If you create the cert with -pe you don't get that option.

sipwiz 2009-03-18 13:54:09

Sorry, sipwiz, another issue. For exporting to pfx file, I can understand usage scenario of exporting certificate could be letting others intall it as a trusted publisher. But what is the usage scenario of exporting provate key together?

George2 2009-03-18 13:54:32

Thanks sipwiz, from your help, I think the answer to my 1st question is, private key will be embedded in both certificate and in file root.pvk, correct? And the answer to my second question is private key will be embedded in certificate, correct?

George2 2009-03-18 13:59:14

If you want to be able to use the certificate for anything useful such as authentication on an SSL stream you must have access to the private key. The .pfx file is not an X509 certificate format but is a container format that can hold certificates and keys making it easy to transport them around.

sipwiz 2009-03-18 22:16:49

Thanks sipwiz, in theory private/public key and certificate is enough to so SSL authentication. So in theory, a certificate with exportable private key should contains all things we need. Could you explain moer abuot what do you mean benefit like "transport them around" please?

George2 2009-03-19 04:55:35

sipwiz 2009-03-19 05:27:03

Hi sipwiz, I execute command makecert -sk XYZ -n "CN=XYZ Company" testXYZ.cer, I expect there could be a key container called "XYZ" in certificate manager snap-in, but after executing, there is no XYZ found. Any ideas?

George2 2009-03-19 06:42:27

Thanks sipwiz, I think making private key exportable in certificate and copy certificate to another computer, then import to personal folder is also very efficient. I want to learn why using pfx file to do exchange is better? :-)

George2 2009-03-19 06:43:26

I expect the sk parameter can only specify a pre-existing ceritificate store. When you use "-sk my" it puts the certificate in the personal store and I'd recommend using that one unless there is a specific reason not to.

sipwiz 2009-03-19 10:44:06

Thanks sipwiz, 1. do you have any documents mentioning -sk can only work with existing key container? 2. I want to know why using pfx file to exchange is better than using certificate itself -- certificate contains public/private key, should be able to achieve the purpose enough.

George2 2009-03-19 12:00:39

No I don't have any docs for -sk, the main reference I know of is the makecert reference on MSDN. The X509 certificate files produced by makecert DON'T contain private keys that's why you need to export to a .pfx file which is just another certificate format anyway.

sipwiz 2009-03-19 13:14:18

Thanks sipwiz, if we assign -pe option, we could export private key from certiticate. But why you say "DON'T contain private keys"? I think if we assign -pe option, then we could export private key from certificate, no need to use pfx file any more? Any comments?

George2 2009-03-19 13:20:50

The -pe option lets you export the private key from the Windows certificate store. There is no way with makecert, with or without -pe, to get the private key and cert into a single file. If you want the priv. key and cert in the same file using -pe and exporting from cert store is the best way.

sipwiz 2009-03-19 13:33:31

http://msdn.microsoft.com/en-us/magazine/cc163454.aspx

sipwiz 2009-03-19 13:49:54

Cool, sipwiz! I want to learn in what situations certificate with exportable private key is not enough, and we have to need the pfx file?

George2 2009-03-20 09:40:37

ansaurus

tags:

views:

answers:

where is private key?

related questions