Export Certificate with Private Key from CA Management MMC

Hello,
We have an Enterprise Certificate Authority installed in our Windows
2003 Domain. I have minted some Client Authentication certificates,
and I have marked the private keys as exportable.

I am able to install the certs using the web certificate service
(https://CA/certsrv), and I am able to export the certificate and
private key from my computer's local certificate store.

However, I am trying to mint the cert for someone else, as an
administrator, and I want to be able to export the certificate and
private key directly from the CA, rather than installing the
certificates locally on my machine and then exporting them.

Is there a way to export the certificate and private key directly from
the CA, rather than installing it locally on my workstation and
exporting it that way?

The only option I've been able to find is to copy the certificate to a
file, but my options are .CER or .P7B, and I'd like to export it
as .PFX so that I can get the private key.

Thanks.

Hi Alan,

yes that is correct - per default the Webserver certificate does not allow
to export the private key which is from security perspective good ;-)

If you do need that feature in your environment you need to create a new
Webserver template on your CA and enable "export private key" property.
Just use the current webserver certificate template and create a new one,
then you should be able to configure this.

Regards
Ramazan

"AlanW." <adweber@gmail.com> wrote in message
news:d44fa087-c979-4721-939e-5b2de78d0152@c16g2000yqd.googlegroups.com...
> Hello,
> We have an Enterprise Certificate Authority installed in our Windows
> 2003 Domain. I have minted some Client Authentication certificates,
> and I have marked the private keys as exportable.
>
> I am able to install the certs using the web certificate service
> (https://CA/certsrv), and I am able to export the certificate and
> private key from my computer's local certificate store.
>
> However, I am trying to mint the cert for someone else, as an
> administrator, and I want to be able to export the certificate and
> private key directly from the CA, rather than installing the
> certificates locally on my machine and then exporting them.
>
> Is there a way to export the certificate and private key directly from
> the CA, rather than installing it locally on my workstation and
> exporting it that way?
>
> The only option I've been able to find is to copy the certificate to a
> file, but my options are .CER or .P7B, and I'd like to export it
> as .PFX so that I can get the private key.
>
> Thanks.

Hi
Additionally you may start thinking about KRA and Key archival.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"RCan" <noospam@arcor.de> wrote in message
news:eziRtjJsKHA.3908@TK2MSFTNGP05.phx.gbl...
> Hi Alan,
>
> yes that is correct - per default the Webserver certificate does not allow
> to export the private key which is from security perspective good ;-)
>
> If you do need that feature in your environment you need to create a new
> Webserver template on your CA and enable "export private key" property.
> Just use the current webserver certificate template and create a new one,
> then you should be able to configure this.
>
> Regards
> Ramazan
>
> "AlanW." <adweber@gmail.com> wrote in message
> news:d44fa087-c979-4721-939e-5b2de78d0152@c16g2000yqd.googlegroups.com...
>> Hello,
>> We have an Enterprise Certificate Authority installed in our Windows
>> 2003 Domain. I have minted some Client Authentication certificates,
>> and I have marked the private keys as exportable.
>>
>> I am able to install the certs using the web certificate service
>> (https://CA/certsrv), and I am able to export the certificate and
>> private key from my computer's local certificate store.
>>
>> However, I am trying to mint the cert for someone else, as an
>> administrator, and I want to be able to export the certificate and
>> private key directly from the CA, rather than installing the
>> certificates locally on my machine and then exporting them.
>>
>> Is there a way to export the certificate and private key directly from
>> the CA, rather than installing it locally on my workstation and
>> exporting it that way?
>>
>> The only option I've been able to find is to copy the certificate to a
>> file, but my options are .CER or .P7B, and I'd like to export it
>> as .PFX so that I can get the private key.
>>
>> Thanks.
>

Jorge,
Thanks very much for your input.
It looks like you are correct on your second post. I need to archive
the keys, and use a key recovery agent to restore the certificate with
the private key.
This should do what I need.
I was hoping that there was an easy way to export the certificate with
the Private key directly from the Management console on the CA server,
but it's not looking as though it's possible.
Thanks