none
Certificates and Exporting Private Key

    Question

  • Hello again.  For the last year I've been working with our Security group regarding using certificates with SCOM.  They are very concerned about the requirement that private keys be marked as exportable in the following documentation.  As such, they won't let us use our Enterprise CA, and we've had to purchase certs from a 3rd party CA.  This of course is expensive, and even more time consuming, especially since we already have an expensive Enterprise CA we can't use!

    I was wondering if anyone here could post some information that I might be able to use to help alieve some of their fears about the exportable private keys.  I'd really like to be able to use our Enterprise CA to save time and money.

    What are the risks with allowing the private key to be exported?

    Thanks.

    http://technet.microsoft.com/en-us/library/bb735413.aspx
    http://technet.microsoft.com/en-us/library/bb735417.aspx


    Layne
    Wednesday, January 27, 2010 4:40 PM

Answers

  • It depends on where you need to deploy the certificates.  If your agents are in a DMZ with no access to your CA, then the key needs to be exportable when issued.  In these cases, the cert gets issued to a CA-connected machine, then exported (with key) to a file, which is transferred to the DMZ box and imported.  Without the exportable key it doesn't work.  If all you machines have access to the CA, however, then you never need to export and you can probably get away without it.

    Thanks,
    -Lincoln

    this is not quite correct, because there are several other ways how to enroll certificate for non-domain clients (clients that cannot directly connect to CA server through DCOM):
    1) use Enrollment Web Pages. This will allow to run ActiveX-comptible browser in http://FQDN/certsrv. However this is possible if Web Pages are running on Windows Server 2003. With Windows Server 2008 and higher there is no way to enroll computer certificates from Enrollment Web Pages.
    2) use certreq utility that will prepare request and this request can be submited to CA from certsrv.msc console.
    3) use Certificates snap-in focused on Local Computer and choose All Task -> Advanced Operations -> Create Custom Request (available in Windows Vista and higher).
    4) use CEP/CES services for HTTP-enrollment (available for Windows 7/Windows Server 2008 R2 clients only).

    Regarding exportable keys. Actually you SHOULD NOT mark private keys as exportable for computer certificates. Generally this applies to user certificates too. There are some circumstances when private key SHOULD be marked as exportable:
    1) you have encrypted several files using EFS. You may have to export (export) this certificate if you will need access to these files from other computers or to get access to them if your profile is corrupted, deleted, etc.
    2) if you're using mail encryption. You may have to read encrypted mail messages from other computers.

    Due of security reasons you SHOULD never mark private keys as exportable for signing, user authentication and computer certificates (except CA own private keys).

    Matt__White
    You're right. Private key is always generated on the client. When you generate request (it is generated each time you enroll certificates) this request is saved in Certificate Enrollment Requests folder in Certificates snap-in. When certificate is retrieved from CA, this request is moved to Personal folder and is ready to use.


    http://www.sysadmins.lv
    Saturday, January 30, 2010 9:25 PM

All replies

  • for this reason we have setup a CA just for SCOM. There's no need to buy certs, just set up a standalone CA.
    That said, i've not found a reason why you have to be able to export the private key. i think it's just a recommendation and you can ignore that one.
    Rob Korving
    http://jama00.wordpress.com/
    Wednesday, January 27, 2010 6:11 PM
  • It depends on where you need to deploy the certificates.  If your agents are in a DMZ with no access to your CA, then the key needs to be exportable when issued.  In these cases, the cert gets issued to a CA-connected machine, then exported (with key) to a file, which is transferred to the DMZ box and imported.  Without the exportable key it doesn't work.  If all you machines have access to the CA, however, then you never need to export and you can probably get away without it.

    Thanks,
    -Lincoln
    Wednesday, January 27, 2010 6:29 PM
  • If you use certreq.exe, I think the PK remains on the requesting server.  Only the CSR is required to be transferred to the CA, then the signed certificate is transferredback to the requesting computer.  It's not the easiest tool to use, but it will get around your problem of having exportable PKs.

    Matt
    Matt White
    ( http://systemcenterblog.hardac.co.uk/ )
    Thursday, January 28, 2010 12:24 PM
  • Thanks everyone.  We're reopening the discussion and I'll be sure to bring up all these points.  I'll post any other concerns they have and maybe between all of us we can convince them to let us use the Enterprise CA. 
    Layne
    Thursday, January 28, 2010 4:36 PM
  • It depends on where you need to deploy the certificates.  If your agents are in a DMZ with no access to your CA, then the key needs to be exportable when issued.  In these cases, the cert gets issued to a CA-connected machine, then exported (with key) to a file, which is transferred to the DMZ box and imported.  Without the exportable key it doesn't work.  If all you machines have access to the CA, however, then you never need to export and you can probably get away without it.

    Thanks,
    -Lincoln

    this is not quite correct, because there are several other ways how to enroll certificate for non-domain clients (clients that cannot directly connect to CA server through DCOM):
    1) use Enrollment Web Pages. This will allow to run ActiveX-comptible browser in http://FQDN/certsrv. However this is possible if Web Pages are running on Windows Server 2003. With Windows Server 2008 and higher there is no way to enroll computer certificates from Enrollment Web Pages.
    2) use certreq utility that will prepare request and this request can be submited to CA from certsrv.msc console.
    3) use Certificates snap-in focused on Local Computer and choose All Task -> Advanced Operations -> Create Custom Request (available in Windows Vista and higher).
    4) use CEP/CES services for HTTP-enrollment (available for Windows 7/Windows Server 2008 R2 clients only).

    Regarding exportable keys. Actually you SHOULD NOT mark private keys as exportable for computer certificates. Generally this applies to user certificates too. There are some circumstances when private key SHOULD be marked as exportable:
    1) you have encrypted several files using EFS. You may have to export (export) this certificate if you will need access to these files from other computers or to get access to them if your profile is corrupted, deleted, etc.
    2) if you're using mail encryption. You may have to read encrypted mail messages from other computers.

    Due of security reasons you SHOULD never mark private keys as exportable for signing, user authentication and computer certificates (except CA own private keys).

    Matt__White
    You're right. Private key is always generated on the client. When you generate request (it is generated each time you enroll certificates) this request is saved in Certificate Enrollment Requests folder in Certificates snap-in. When certificate is retrieved from CA, this request is moved to Personal folder and is ready to use.


    http://www.sysadmins.lv
    Saturday, January 30, 2010 9:25 PM
  • Thanks everyone, these are good points.  It sounds like the private key does not need to be exportable if the agents can access the CA.  That's good news, but I just thought about implications for ACS.

    To get the certificate to work with ACS you have to export it .cer format and add it to the Name Mappings for the computer object.  Do the keys have to be exportable for this?
    Layne
    Wednesday, February 03, 2010 9:38 PM
  • > To get the certificate to work with ACS you have to export it .cer format and add it to the Name Mappings for the computer object.  Do the keys have to be exportable for this?

    can you explain this? What you mean under Name Mapping?
    http://www.sysadmins.lv
    Thursday, February 04, 2010 6:38 AM
  • One of the steps to get a certificate to work with ACS is you have to create a computer account for the forwarder, right click the computer account and choose Name Mappings, and on the X.509 Certificates tab you add the certificate.  These docs say when you export the certificate you choose "do not export private key", so maybe it will not be an issue?

    http://technet.microsoft.com/en-us/library/bb735410.aspx
    http://technet.microsoft.com/en-us/library/bb735420.aspx
    http://blogs.technet.com/cliveeastwood/archive/2007/05/11/how-to-configure-audit-collection-system-acs-to-use-certificate-based-authenication.aspx

    Thanks,
    Layne
    Thursday, February 04, 2010 4:39 PM
  • No, in that case the private key will not exported and it is not required. For name mapping configuration you need public certificate only (without private key)..so there is no circumstances to make private key exportable.


    http://www.sysadmins.lv
    Thursday, February 04, 2010 8:16 PM