Re: Obtaining X.509 Certifcates

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Sumaira Ahmad (sumaira.ahmad_at_gmail.com)
Date: 10/18/04 

Date: 17 Oct 2004 18:23:18 -0700

Thank you so much for all the information. Will try to install and use
it. and will post if any issues..
Thanks once again..

a.canade@retis.it (andrea) wrote in message news:<5c884a8f.0410161149.479179f2@posting.google.com>...
> Hello
>
> i tell you how certmgr work ... take 10 minutes of your time :)
>
> Certmgr.exe works with two types of certificate stores:
> StoreFile and system store. It is not necessary to specify the type of
> certificate store;
> Certmgr.exe can identify the store type and perform the appropriate
> operations. Running Certmgr.exe without specifying any options
> launches a GUI that helps with the certificate management tasks that
> are also available from the command line.
> The GUI provides an import wizard, which copies certificates, CTLs,
> and CRLs from your disk to a certificate store.
> To run Certmgr.exe in GUI mode, simply do Start/Run, enter "C:\Program
> Files\Microsoft Visual Studio .NET\FrameworkSDK\Bin\certmgr.exe", and
> hit the enter key:
>
> The Certificate Creation tool generates X.509 certificates for testing
> purposes only.
> It creates a public and private key pair for digital signatures and
> stores it in a certificate file.
> This tool also associates the key pair with a specified publisher's
> name and creates an X.509 certificate that binds a user-specified name
> to the public part of the key pair.
>
> NOTE: Only the Makecert from the .NET Framework 1.1 has the capability
> to create test certificates that can be used successfully with the
> WSE!
>
> Makecert.exe includes basic and extended options. Basic options are
> those most commonly used to create a certificate. Extended options
> provide more flexibility.
>
> makecert [options] outputCertificateFile
>
>
> The following command creates a test certificate and writes it to
> testPAB.cer, using the subject's key container and the certificate
> subject's X.500 name, and writes it to the root store:
>
> makecert -sk TEST -n "CN=AndreaCanade" -ss root -sr localmachine
> acTest.cer
>
>
> In order for WSE to obtain the X.509 private key from the local
> computer certificate store, it must have permission to do so.
> By default, only the owner and the System account can access the
> private key of a certificate.
> Also by default, the ASP.NET service runs under the ASPNET account,
> and that account does not have access to the private key.
>
> To give the ASPNET account access to the private key, give the account
> under which ASP.NET is running Full Control access to the files
> containing the keys the WSE will need to retrieve in the following
> folder:
> C:\Documents and Settings\All Users\Application
> Data\Microsoft\Crypto\RSA\MachineKeys
>
> The account the ASP.NET worker process runs under is controlled by the
> <processModel> element in the Machine.config file.
> Set the userName attribute of the <processModel> element to specify
> the account ASP.NET runs under.
> By default, the userName attribute is set to the special machine
> account, which maps to the low-privileged ASPNET user account created
> when the .NET Framework SDK is installed.
>
> Open Windows Explorer.
> Navigate to the C:\Documents and Settings\All Users\Application
> Data\Microsoft\Crypto\RSA\MachineKeys folder.
> Select the files containing the keys that the WSE will need to
> retrieve.
> From the File menu, select Properties.
> On the Security tab, add the ASPNET account and select the Full
> Control option.
>
> Note: Determining which key file in the MachineKeys folder is
> associated with a certificate can be difficult.
> One easy method is to note the creation date and time when creating a
> new certificate. When you view the files in the MachineKeys directory,
> check the Date Modified field for the corresponding date and time.
>
>
> hope that's clear :)
> bye

Relevant Pages

  • Re: Can a Windows service find a certificate ?
    ... If you wish to use a certificate and its corresponding private key you will ... the service account). ... Or beter: Which user can install ...
    (microsoft.public.platformsdk.security)
  • Re: EFS encrypt files: Changed PW now cant access... :-(
    ... Assuming the EFS certificate AND private key are in the user's profile you ... need to change the user account password back to what it was before they ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IIS 6 Directory Services Mapping ACL Problems
    ... It would appear that you can not delegate Certificate based credentials. ... IIS does not have the user's password, so it can't just logon to the remote ... file server as the user directly. ... Lastly - if you want to see what account is being used to access the remote ...
    (microsoft.public.inetserver.iis.security)
  • Re: Cannot Decrypt Files
    ... Apparently something went wrong with the migration. ... private key] but will only decrypt small files. ... administrator account. ... EFS certificate that I originally used to encrypt my files with (same ...
    (microsoft.public.win2000.security)
  • Re: How To Access Public Key Certificate
    ... contained in a certificate store AND having an associated private key. ... certs in the AddressBook store are certs received from others ...
    (microsoft.public.platformsdk.security)