2

I am trying to use certificates and private keys on embedded systems that were generated from Microsoft Active Directory Certificate Services . NDES and SCEP are currently out of scope so it will need to be semi-manual.

I am using the Microsoft web tool on our AD CA server at https://server/certsrv . I am able to go through and generate a response without a CSR, and export the private key with the cert. The response is a page that asks me to "Install This certificate" or "Save the response".

If I run the "Install This Certificate" option, the Windows Certmgr application shows that I have imported the certificate and I have the Private Key. This can then be exported as a PKCS#12 file, which can be used or converted to PEM. However, If I use the "Save the Response" option and store the file as a p7b (as indicated by certutil when examining the response file), and then I use the p7b file to import the certificates, there is not private key available. This is consistent, as I would not expect a PKCS#7 file to store private keys.

My question:

The PKCS#7 file format doesn't seem to support private keys and OpenSSL doesn't seem to support extracting private keys from a PKCS#7 file. Is there a way to use the certsrv web tool and obtain both the cert and the private key without having to "Install This Certificate" in Windows? Also, WTF is going on that allows MS to install the private keys that I can't seem to obtain? I've looked at the scripts in the file https://dakota.main.lab/certsrv/certfnsh.asp and they seem to be using the same pkcs#7 data as is presented in the "save response" output.

Thanks in advance.

Dinsdale

Improve this question

1 Answer 1

Reset to default
1

When you generate the certificate request using Web Enrollment the private key is generated locally using your browser. The certificate signing request is sent to the CA (without the private key) at which point it is signed. The certificate is then presented to you on the webpage with a link to 'Install This Certificate'.

At that point in time, you cannot possibly save that as a PKCS#12 (ignoring the fact that you can't right click and select 'Save As') as it is simply a certificate on the server.

When you 'Install This Certificate' it is saved to your certificate store, at which point it is married up with the private key. If you were to open the Certificates MMC you'd see this certificate there and it would show that you also have the private key. It is only at this point that you can export both as a PKCS#12 file.

Alternatively, you can use the Certificates MMC to request a certificate and later export it with its private key as a PKCS#12, but even this way the certificate is installed on your computer first (in order to marry it up with its private key) before you can export it.

You can carry out a similar procedure on the command line, but again, you'll need to install the certificate before you can export as a PKCS#12.

So, I suppose the answer to your question will be 'No, you can not. The private key is always local and has to be married up with the certificate returned from the CA before you can export as a PKCS#12.'

Improve this answer
1
  • Brilliant, thank you! I didn't realize the key was generated on the client. I will use libressl to manually generate the keys and requests on the client windows machine and then submit the request through the browser. I don't know if I like the browser based 'automagic' creating my keys. I would prefer a trusted library. Commented Feb 18, 2016 at 19:49

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.