views:

1260

answers:

5

Hello everyone,

If we make the private key exportable (using -pe option in makecert), then in theory we have both an exportable private key and the public key (public key in certificate) -- which can be transferred or imported to another machine.

So, my question is, why do we still need to create the .pfx file (key exchange file, which contains private and public keys) -- making the private key exportable in certificate could do anything we want? Any scenarios pfx file could cover which making private key exportable in certificate could not achieve?

thanks in advance, George

+1  A: 

Your pfx file can be password protected, that would add a layer of protection

Sébastien Nussbaumer
Thanks Sébastien, I think in certificate, private key is also encrypted. I can not see a strong reason in what scenairos pfx file is better and a must -- than a certificate with exportable private key.
George2
+3  A: 

Is there a makecert command line you have found that will generate a certificate file that includes a private key? I never have. I have seen someone allude to the fact that there is a version of makecert that can produce .pfx files but also have never seen that.

That means at the very best you can create TWO files with makecert if you want a private key file. One for the certificate and one for the private key. You can copy both those files to another computer and import them using makecert.

The advantage of the .pfx certificate format is that you can combine the two files with the certificate and private key into one. This is more convenient and also means you can use the file with the .Net X509Certificate2 class for use with an SslStream.

sipwiz
"Is there a makecert command line you have found that will generate a certificate file that includes a private key? I never have." -- I mean makecert -pe. Any comments?
George2
The -pe command won't include the private key in the certificate file. You can check that for yourself by using -pe, copy the cert file to another computer, import it and you will see there is no private key.
sipwiz
I am confused. -pe in MSDN said it is used to make private key exportable. Could you help to clarify please?
George2
Here is MSDN said, "-pe Marks the generated private key as exportable. This allows the private key to be included in the certificate." http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx
George2
But only after you import and then export using the certmgr. It's easy for you to verify, try the test I mentioned above.
sipwiz
Hi sipwiz, correct me if I understand you wrong. I have tried if we use -pe option, we could export certificate with private key from cert manager. If not make certificate with -pe option, there is no optino to export private key in certificate manager for when exporting a certificate.
George2
(continued) is my above understanding and experiement correct? Thanks and have a good weekend.
George2
Yes that's correct.
sipwiz
A: 

To point out what Sébastien already mentioned:
Your PFX file can be password protected.
That adds ANOTHER layer of security.

The key can be encrypted with a password, right. but for most server applications this is not suitable because a keys password must be entered via keyboard each time it gets "used". (each time you restart your server, restart the server application, ..)

If you export your key+certificate in a password encrypted PFX and you copy that file to your USB stick and it gets stolen, you are safe. well, i dont know how strong the PFX encryption methods are, but at least not just anybody can use it.
in some companies, the stolen key+certificate could cost you a lot of reputation if not your job.. a situation which could have been easily avoided by encrypting key+certificate in a PFX container.

Another bonus is that you can import that keypair with an easy double-click (and a password) and start using it in IIS.

Kaii
+1  A: 

The problem is, the X509 Certificate standard (the certificate) does not include the private key. The certificate contains the subject public key info (aka, the public key) and information about the holder of the private key, but the standard does not support including the private key. This is the basic idea of PKI - the certificate is the public info you share with the world, the private key is something you hold very securely.

Making a private key exportable in any mechanism (for example, makecert), means you are telling that product that the key can be exported. It doesn't specify the file format that you would use to store it. A pfx file is one way of storing the private key - it uses the PKCS 12 standard. Java Key Stores (*.jks) are another way to do the same thing. Most commerically supported standards have similar common features - they protect the private key by encrypting it. The encryption can be unlocked using a password. They couple the private key with the certificate that decribes it.

bethlakshmi
A: 

If you want to build a PFX file, you should have both x509 cert public key and private key file which you can generate using makecert command. PFX can be generated using PVk2PFX command which you can find Microsoft SDK installation directiory.

Bardia Daraei