Brian
Sun Jan 25 08:57:15 CST 2004
Answers inline...
In article <uvvtYE14DHA.2612@tk2msftngp13.phx.gbl>, nobody@nowhere.com
says...
> Pardon my ignorance in the area of Certifiate Services. In the questions I
> may have made incorrect statements. I would greately appreciate if you
> could correct me.
>
> I am generating client certificates using win2k3 Certificate Services.
> After creating the certificate, I export it using public/private key pair
> into .pfx. file. I then import it to client machine personal store. In the
> personal node there are now 2 certificates. I am assuming it is a public
> client certificate and public CA certificate.
What certificates are you requesting when you install into the client
computer store? Depending on the operating system, there are easier
ways to get the comptuer certificates to the computer store:
1) Use the certificates MMC console focused on the local machine. this
causes the request to run in the security context of the computer.
2) Use the Web form. You will have to use an "offline request" in this
circumstance where you manually type in the certificate's subject
information. Then you would use a process similar to what you describe.
3) Autoenrollment. If the requesting computer is WIndows XP or 2k3, and
a domain member,you can use autoenrollment and version 2 certificates
4) Automated Certificate request settings. If the requesting computer is
Windows 2000, XP, or 2k3, you can use ACRS to deploy version 1
certifcates
As for the existig certificates, look to the right of the display and
see what certificate template they are based on. this will provide more
information. Alternatively, look at the details tab, and view the
contents of the Enhanced Key Usage attribute. This will show what
purposes the certificate can be used for. If they are public, the
Certification Path tab will show a certificate chain to a public root
CA. It may or may not be a public certificate based on the information
provided.
>
> Where does the private key get stored?
>
The private keys or users are stored in their profile directory (if
using a Crytographic Services Provider that stores on the local disk).
It is in the C:\Documents and Settings\v-bkomar\Application Data
\Microsoft\Crypto\RSA\SID folder.
For machines, they are stored in the C:\Documents and Settings\All Users
\Application Data\Microsoft\Crypto\RSA\MachineKeys or C:\Documents and
Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys
The private key is protected by the DPAPI. See the following KB article
for details on how it is protected:
support.microsoft.com/default.aspx?kbid=309408
> If it is stored in some hidden place, how can I check what private keys have
> been imported to date? How can I delete them?
The private keys are not per se imported normally. Typically, the
request would be performed by the computer at the computer. The key pair
is always generated at the computer where the request is generated. The
public key is then submitted to the CA in the certificate request.
>
> Is the private key the same for all certificate for that CA? or is there
> different private key for each certificate for that CA?
No, the private keys are alway generated by the requestor. The CA will
use its current private key to sign the certificates when it issues the
certificate.
>
> Thanks in advance
>
>
For more information ,see the following whitepapers:
PKI Enhancements for XP
http://www.microsoft.com/windowsxp/pro/techinfo/planning/pkiwinxp/defaul
t.asp
autoenroll
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/plan/auto
enro.asp
Cert templates -
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deploy/co
nfeat/ws03crtm.asp
DPAPI:
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/dnsecure/html/windataprotection-dpapi.asp
MS PKI Portal:
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/prodtech/pkitech.asp