Export Certificates in PKCS #12 format

[Guest BillL]

Hi,

 

I'm trying to export certificates in Personal Information Exchange

format. When I try to use the Certificate Export WIzard from the CA

or from the Certifcates mmc snapin on my desktop the option

to export to a PKCS #12 format is always greyed out. I've also tried

to do a

certutil -getkey using the certificate's serial number but it comes

back with "cannot find object or property" . The certificate

template

does have the box "Allow private key to be exported" checked.

 

Is there a setting in the Certifcate template that must be set to

allow it to be exported in this format? Or am I missing something

else?

 

Thanks.

[Guest Brian Komar \(MVP\)]

Where are you performing the export?

The export option to include the private key is only available at the

computer where the key pair was generated

You cannot, for example, choose an issued certificate at the CA, and then

choose to export the private key

Brian

 

"BillL" <wlawn@yahoo.com> wrote in message

news:8dbe6102-b48b-4d66-827c-a44140ebacb4@h5g2000yqh.googlegroups.com...<span style="color:blue">

> Hi,

>

> I'm trying to export certificates in Personal Information Exchange

> format. When I try to use the Certificate Export WIzard from the CA

> or from the Certifcates mmc snapin on my desktop the option

> to export to a PKCS #12 format is always greyed out. I've also tried

> to do a

> certutil -getkey using the certificate's serial number but it comes

> back with "cannot find object or property" . The certificate

> template

> does have the box "Allow private key to be exported" checked.

>

> Is there a setting in the Certifcate template that must be set to

> allow it to be exported in this format? Or am I missing something

> else?

>

> Thanks. </span>

[Guest BillL]

Thanks Brian for clarifying that for me. I was trying it on both the

CA and the workstation where the key was generated. I did get it to

work from the workstation.

 

Bill

[Guest Brian Komar \(MVP\)]

You can only accomplish the retrieval from the CA if:

1) THe CA is enabled for key archival

2) The certificate template is set to the purpose of encryption or

signature and encryption

3) The certificate template enable archival of the encryption certificate

private key

 

Once you have this, then the recovery process involves:

1) A certificate manager extracting an encrypted blob from the CA

(certutil -getkey)

2) A Key Recovery agent decrypting the blob into a PKCS#12

(certutil -recoverkey

 

Brian

 

"BillL" <wlawn@yahoo.com> wrote in message

news:f9fb5e90-c0be-40d7-8f83-00bcf63b9ad2@s20g2000yqh.googlegroups.com...<span style="color:blue">

> Thanks Brian for clarifying that for me. I was trying it on both the

> CA and the workstation where the key was generated. I did get it to

> work from the workstation.

>

> Bill

> </span>

[Guest BillL]

On Feb 11, 2:31 pm, "Brian Komar \(MVP\)"

<brian.ko...@nospam.identit.ca> wrote:<span style="color:blue">

> You can only accomplish the retrieval from the CA if:

> 1) THe CA is enabled for key archival

> 2) The certificate template is set to the purpose of encryption or

> signature and encryption

> 3) The certificate template enable archival of the encryption certificate

> private key

>

> Once you have this, then the recovery process involves:

> 1) A certificate manager extracting an encrypted blob from the CA

> (certutil -getkey)

> 2) A Key Recovery agent decrypting the blob into a PKCS#12

> (certutil -recoverkey

>

> Brian

>

> "BillL" <wl...@yahoo.com> wrote in message

>

> news:f9fb5e90-c0be-40d7-8f83-00bcf63b9ad2@s20g2000yqh.googlegroups.com...

>

>

><span style="color:green">

> > Thanks Brian for clarifying that for me.  I was trying it on both the

> > CA and the workstation where the key was generated.  I did get it to

> > work from the workstation.</span>

><span style="color:green">

> > Bill- Hide quoted text -</span>

>

> - Show quoted text -</span>

 

Thanks Brian.