none
Exporting Private Keys

    Question

  • Hello,

    I need to install my Root CA certificate along with its private key on an appliance. The problem is that it will only accept base-64 encoded certificates and keys and not the PKCS#12 format. When I try to export the root certificate with the private key, the Base-64 option is greyed out. Any ideas on how can I export the cert and the key in base-64 and not the PKCS#12 format?

    Thanks!
    -p
    Tuesday, September 08, 2009 9:33 PM

Answers

  • 1) You should never export the root CA's private key to another device. A backup is only for disaster recovery procedures. If your appliance needs the root CA's private key, then it is time to get a secure appliance and ditch your current one.
    2) If you need to do a base 64 export, then do not include the private key (as I suspect is the case). You can then choose to export in base 64 format so you can designate the root CA as a trusted root CA at the appliance

    Brian
    Wednesday, September 09, 2009 12:45 AM
  • I actually don't understand the term "appliance" in you case. Does it mean this is some kind of a router? Why would you then need to install the CA's PRIVATE key to the appliance? The CAs certificate's private key is used only to sing the end-user's certificates and is needed only on the CA. As well, it would be against the basic security principle of PRIVATE key to share it PUBLICLY :-). Only the CA's certificate needs to be normally imported into devices/computers so that the device trusts all the CA's issued end-user certificates.

    in your case, you would probably be required to create an end-user certificate (probably server certificate) for the device, which you can enroll for by using the CA's web pages for example - http://mycaserver.domain.local/CertSrv

    after you have created such a certificate on your computer (not necessarily on the CA's), you would then export the certificate together with private key and only then imported it into the appliance.

    Another way how to enroll for the appliance certificate would be (if it supports the protocol) to use SCEP (Simple Certificate Enrollment Protocol) which you would use directly from the device for direct enrollment of the certificate.

    ondrej.

    Wednesday, September 09, 2009 6:22 AM

All replies

  • 1) You should never export the root CA's private key to another device. A backup is only for disaster recovery procedures. If your appliance needs the root CA's private key, then it is time to get a secure appliance and ditch your current one.
    2) If you need to do a base 64 export, then do not include the private key (as I suspect is the case). You can then choose to export in base 64 format so you can designate the root CA as a trusted root CA at the appliance

    Brian
    Wednesday, September 09, 2009 12:45 AM
  • I actually don't understand the term "appliance" in you case. Does it mean this is some kind of a router? Why would you then need to install the CA's PRIVATE key to the appliance? The CAs certificate's private key is used only to sing the end-user's certificates and is needed only on the CA. As well, it would be against the basic security principle of PRIVATE key to share it PUBLICLY :-). Only the CA's certificate needs to be normally imported into devices/computers so that the device trusts all the CA's issued end-user certificates.

    in your case, you would probably be required to create an end-user certificate (probably server certificate) for the device, which you can enroll for by using the CA's web pages for example - http://mycaserver.domain.local/CertSrv

    after you have created such a certificate on your computer (not necessarily on the CA's), you would then export the certificate together with private key and only then imported it into the appliance.

    Another way how to enroll for the appliance certificate would be (if it supports the protocol) to use SCEP (Simple Certificate Enrollment Protocol) which you would use directly from the device for direct enrollment of the certificate.

    ondrej.

    Wednesday, September 09, 2009 6:22 AM
  • I just figured out the solution to this and thought I'd post it. The appliance I am dealing with is a web content gateway that inspects inbound traffic from the internet and in case of HTTPS, it rewrites certificate information after inspecting the original certificate. I do agree that trying to emulate the root is not a good idea and as it turns out there is an option to add this device as a sub CA which works fine. Coming back to the original questions, in case someone wishes to do it, using openssl is the solution. First backup the CA key and certificate using the console. This gives you a .p12 file. Then use the following commands to extract the key and the certificate,

    C:\OpenSSL\bin>openssl pkcs12 -in filename.p12 -nocerts -out key.cer (For the key)

     

    C:\OpenSSL\bin>openssl pkcs12 -in filename.p12 -clcerts -nokeys -out cert.cer (For the cert)

    Thursday, September 17, 2009 8:21 PM