Re: Problems enabling SSL on AD

Joe,

Thanks for the detailed response...

I tried the same procedure per the MS KB article here last night, on a test system that I have, and it worked. But, note by "per the MS KB article", I used the "certreq -accept", and that worked here, whereas we had a problem with the "certreq -accept" in the earlier try, which was in our lab. We eventually were able to import the cert into the Local Computer\Personal store by using MMC Certificates snap-in.

Question: Does "certreq -accept" do something different than using the MMC Certificates snap-in to import the server cert? In particular, I'm wondering if using the MMC Certificates snap-in to do the import doesn't do the association between the private key and the server cert, whereas using "certreq -accept" does some extra stuff to do the association?

Jim



Joe Kaplan wrote:
Something got hosed between the request for the certificate and the actual receipt of it. You probably have the private key on your machine somewhere (since you requested the certificate based on a key pair you generated), but somehow when the cert from the CA came back, it didn't get properly associated with the original request, so Windows doesn't know that the cert you have belongs to the private key.

If you don't have the private key, you can't do SSL, so the cert is basically useless.

I'd suggest asking what to do over on ms.public.platformsdk.security to see if there is a way to recover from this situation. Ideally, there is some way you can get the issued certificate associated with the private key you already have and then you are fine. That would be better than starting over. However, starting over and trying again might be easier.

Having a p12 or pfx file for the cert is always the most flexible option, as you can then install it anywhere you like. The private key and cert travel together. However, they are also the most dangerous thing from a security perspective for exactly the same reason that they are the most convenient. Security is always like that. :)

Joe K.

.

Relevant Pages

  • Re: Problems enabling SSL on AD
    ... In MMC Certificates snap-in, I deleted the entry under Local Computer\Certificate Enrollment Requests ... When I tried to run "certreq -accept...", I got a popup error, "Cannot find object or property. ... When I look at the server cert in the MMC Certificates snap-in, the "You have a private key..." ... In particular, I'm wondering if using the MMC Certificates snap-in to do the import doesn't do the association between the private key and the server cert, whereas using "certreq -accept" does some extra stuff to do the association? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Private & Public Key storage location
    ... with that you complete the 'certificate' to have both public and private key ... To view the complete cert, you access the cert mmc, ... its end & send only the public key to the CA along with the other websites ... The CA never know the private key of the website. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Private & Public Key storage location
    ... with that you complete the 'certificate' to have both public and private key ... To view the complete cert, you access the cert mmc, ... its end & send only the public key to the CA along with the other websites ... The CA never know the private key of the website. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Private & Public Key storage location
    ... When you got the server cert file, ... its end & send only the public key to the CA along with the other websites ... The CA never know the private key of the website. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Encryption
    ... - make sure anything encrypted with the other cert was copied into ... If I encrypt a folder on the copied-to machine, ... The private key import for W2k I do not clearly recall at ...
    (microsoft.public.win2000.security)