Discussion:
Private & Public Key Storage location
(too old to reply)
Vicky
2006-01-10 06:46:02 UTC
Permalink
hi,

when I configure IIS server on a windows 2000 or 2003 server to use the ssl
protocol, I have to make a certificate request, during which a Key pair
(public & private) is created.

My public key is sent to the CA alomg with my certificate request which is
then also embedded in My server certificate by the CA.

I want to know where is my private key stored on my local file system. Can I
also see the public key & is it possible to have both this keys copied to a
desired location as a backup.

Vicky
Miha Pihler [MVP]
2006-01-10 09:04:05 UTC
Permalink
Hi,

IIS certificates that enable you to use SSL are stored under Computer
account and not user account. You can always export the private key by doing
this...

open MMC and click File -> Add/Remove Snap-In -> Add... -> Certificates.
Here click on Computer Account and click Next. Check to see that Local
Computer is selected and click Finish.

Now that you have Certificate MMC open Personal Container -> Certificates.
You will see you IIS certificate. Right click on it and select All tasks ->
Export. In the wizard that starts click on Next -> here you must select
"Yes, export the private key" and click on Next. Follow the wizard by
clicking Next. When prompted enter password (and remember it since you won't
be able to do the import without it) and save the file on hard disk. Make
sure that you have *.pfx file. If you got *.cer file you only have public
key.

I hope this helps.
--
Mike
Microsoft MVP - Windows Security
Post by Vicky
hi,
when I configure IIS server on a windows 2000 or 2003 server to use the ssl
protocol, I have to make a certificate request, during which a Key pair
(public & private) is created.
My public key is sent to the CA alomg with my certificate request which is
then also embedded in My server certificate by the CA.
I want to know where is my private key stored on my local file system. Can I
also see the public key & is it possible to have both this keys copied to a
desired location as a backup.
Vicky
Vicky
2006-01-11 01:26:02 UTC
Permalink
Still have doubts
When a web client connects to a ssl enabled web site he receives the web
sites server certificate that consist only the public key.
It means that private keys are not embedded in the website server certificate.
On the server itself when you will export the certificate from where will
the private key come?
Post by Miha Pihler [MVP]
Hi,
IIS certificates that enable you to use SSL are stored under Computer
account and not user account. You can always export the private key by doing
this...
open MMC and click File -> Add/Remove Snap-In -> Add... -> Certificates.
Here click on Computer Account and click Next. Check to see that Local
Computer is selected and click Finish.
Now that you have Certificate MMC open Personal Container -> Certificates.
You will see you IIS certificate. Right click on it and select All tasks ->
Export. In the wizard that starts click on Next -> here you must select
"Yes, export the private key" and click on Next. Follow the wizard by
clicking Next. When prompted enter password (and remember it since you won't
be able to do the import without it) and save the file on hard disk. Make
sure that you have *.pfx file. If you got *.cer file you only have public
key.
I hope this helps.
--
Mike
Microsoft MVP - Windows Security
Post by Vicky
hi,
when I configure IIS server on a windows 2000 or 2003 server to use the ssl
protocol, I have to make a certificate request, during which a Key pair
(public & private) is created.
My public key is sent to the CA alomg with my certificate request which is
then also embedded in My server certificate by the CA.
I want to know where is my private key stored on my local file system. Can I
also see the public key & is it possible to have both this keys copied to a
desired location as a backup.
Vicky
Miha Pihler [MVP]
2006-01-11 08:54:34 UTC
Permalink
Hi,

You have doubts about what?

Of course the client never receives the private key -- that would be a huge
security hole (think of what would happen if anyone got a private key for
e.g. amazon.com oz ebay.com etc...)... They could decrypt all the
communication between clients and e.g. amazon servers including information
about credit cards...

Here are details about SSL handshake between client and server

Description of the Secure Sockets Layer (SSL) Handshake
http://support.microsoft.com/kb/q257591/

Private keys are in general stored here "RootDirectory\Documents and
Settings\%username%\Application Data\Microsoft\Crypto\RSA", but you can't
just copy them since they are encrypted with random symmetric key called the
master key. To export them you must use the procedure that I described in my
previous post. That file (*.pfx) will include the private key that you can
later import on any other server.

Here is also Microsoft KB article on the subject...

How to back up a server certificate in Internet Information Services 5.0 (It
is same for IIS 6.0).
http://support.microsoft.com/default.aspx?scid=kb;en-us;232136

Again, I would like to stress that.
- you must select "Local Computer Account" in MMC
- you must select "Yes, export the private key" in the export wizard
- in the end you must have a *.pfx file.

I used these steps on numerous occasions for many of my customers and they
work.

Let me know if you need additional information on this.
--
Mike
Microsoft MVP - Windows Security
Post by Vicky
Still have doubts
When a web client connects to a ssl enabled web site he receives the web
sites server certificate that consist only the public key.
It means that private keys are not embedded in the website server certificate.
On the server itself when you will export the certificate from where will
the private key come?
Post by Miha Pihler [MVP]
Hi,
IIS certificates that enable you to use SSL are stored under Computer
account and not user account. You can always export the private key by doing
this...
open MMC and click File -> Add/Remove Snap-In -> Add... -> Certificates.
Here click on Computer Account and click Next. Check to see that Local
Computer is selected and click Finish.
Now that you have Certificate MMC open Personal Container ->
Certificates.
You will see you IIS certificate. Right click on it and select All tasks ->
Export. In the wizard that starts click on Next -> here you must select
"Yes, export the private key" and click on Next. Follow the wizard by
clicking Next. When prompted enter password (and remember it since you won't
be able to do the import without it) and save the file on hard disk. Make
sure that you have *.pfx file. If you got *.cer file you only have public
key.
I hope this helps.
--
Mike
Microsoft MVP - Windows Security
Post by Vicky
hi,
when I configure IIS server on a windows 2000 or 2003 server to use the ssl
protocol, I have to make a certificate request, during which a Key pair
(public & private) is created.
My public key is sent to the CA alomg with my certificate request which is
then also embedded in My server certificate by the CA.
I want to know where is my private key stored on my local file system.
Can
I
also see the public key & is it possible to have both this keys copied
to
a
desired location as a backup.
Vicky
Loading...