|
Home > Archive > IIS Server Security > January 2005 > Certificate Export Problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Certificate Export Problem
|
|
| cswarr 2005-01-12, 5:55 pm |
| I'm trying to export a verisign cert. from one Win2k3 web server to another.
However, it's not letting me export the private key, just the cert. The
export private key option is greyed out in the wizard. Why is it doing this
and how can I get the cert. installed on my second web server? Thanks.
| |
| Miha Pihler [MVP] 2005-01-12, 5:55 pm |
| Hi,
If the export the private key is grayed out (disabled) then this was a
"mistake" made when this certificate was installed on this computer. When
installing certificate you have an option to select "Mark this key as
exportable" that is by default not enabled.
http://freeweb.siol.net/mpihler/exportable.jpg
Do you still have original request and certificate received from VeriSign.
If yes, then you could use these to install this certificate on new
server...
--
Mike
Microsoft MVP - Windows Security
"cswarr" <cswarr@discussions.microsoft.com> wrote in message
news:746516D0-76B4-41EE-BCB9-EFF47428BAFC@microsoft.com...
> I'm trying to export a verisign cert. from one Win2k3 web server to
> another.
> However, it's not letting me export the private key, just the cert. The
> export private key option is greyed out in the wizard. Why is it doing
> this
> and how can I get the cert. installed on my second web server? Thanks.
| |
| cswarr 2005-01-12, 5:55 pm |
| Thanks for the reply. That may be the case. I must not have checked off the
exportable box when I installed it. I'm going to have to look around for the
original request. I assume you mean the original CSR? I think I have the
certificate. If I can find them, how do I install it on the new server?
"Miha Pihler [MVP]" wrote:
> Hi,
>
> If the export the private key is grayed out (disabled) then this was a
> "mistake" made when this certificate was installed on this computer. When
> installing certificate you have an option to select "Mark this key as
> exportable" that is by default not enabled.
>
> http://freeweb.siol.net/mpihler/exportable.jpg
>
> Do you still have original request and certificate received from VeriSign.
> If yes, then you could use these to install this certificate on new
> server...
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "cswarr" <cswarr@discussions.microsoft.com> wrote in message
> news:746516D0-76B4-41EE-BCB9-EFF47428BAFC@microsoft.com...
>
>
>
| |
| Miha Pihler [MVP] 2005-01-12, 5:55 pm |
| Hi,
If you have original CSR (including private key), you could import it back
in Certificate MMC under computer account -> Certificate Enrollment Requests
.... Once you have your original request restored you then use certificate
that you received from VeriSign and proceed as if this was new request...
If you don't have original request, then you will have to generate new CSR
and request new certificate from VeriSign. I believe they will charge you
100 USD for this and not the full price. Still double check on this since
Thawte (another CA agency owned by VeriSign) will reissue SSL certificate
for free (under certain conditions -- including yours -- change of system).
Feel free to post back if you need more information.
--
Mike
Microsoft MVP - Windows Security
"cswarr" <cswarr@discussions.microsoft.com> wrote in message
news:759794DE-71BB-4DD1-89AA-6BEA98E815C6@microsoft.com...
> Thanks for the reply. That may be the case. I must not have checked off
> the
> exportable box when I installed it. I'm going to have to look around for
> the
> original request. I assume you mean the original CSR? I think I have the
> certificate. If I can find them, how do I install it on the new server?
>
<snip>
| |
| cswarr 2005-01-12, 5:55 pm |
| OK. I was able to import the CSR into the Certificate Enrollment requests on
my new server. There are two certs in there now, the one for my web site and
what looks like a verisign intermediate or root cert. What's next?
"Miha Pihler [MVP]" wrote:
> Hi,
>
> If you have original CSR (including private key), you could import it back
> in Certificate MMC under computer account -> Certificate Enrollment Requests
> .... Once you have your original request restored you then use certificate
> that you received from VeriSign and proceed as if this was new request...
>
> If you don't have original request, then you will have to generate new CSR
> and request new certificate from VeriSign. I believe they will charge you
> 100 USD for this and not the full price. Still double check on this since
> Thawte (another CA agency owned by VeriSign) will reissue SSL certificate
> for free (under certain conditions -- including yours -- change of system).
>
> Feel free to post back if you need more information.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "cswarr" <cswarr@discussions.microsoft.com> wrote in message
> news:759794DE-71BB-4DD1-89AA-6BEA98E815C6@microsoft.com...
>
> <snip>
>
>
>
| |
| Miha Pihler [MVP] 2005-01-13, 7:48 am |
| Hi,
Sorry, I tried this in my lab and I wasn't able to solve the problem (though
I have in my mind that I did this some time ago for my customer).
I will try few more things later today.
--
Mike
Microsoft MVP - Windows Security
"cswarr" <cswarr@discussions.microsoft.com> wrote in message
news:D1F633B5-316F-4734-847E-C026B17F9407@microsoft.com...[vbcol=seagreen]
> OK. I was able to import the CSR into the Certificate Enrollment requests
> on
> my new server. There are two certs in there now, the one for my web site
> and
> what looks like a verisign intermediate or root cert. What's next?
>
> "Miha Pihler [MVP]" wrote:
>
| |
| cswarr 2005-01-14, 5:51 pm |
| Thanks for your efforts. I had an idea...what if I remove the cert., then
re-import it on server 1, which is where it is currently being used and was
requested from? Maybe I can mark the private key as exportable during the
re-import and then the private key export would work to server 2. Sound
feasible?
"Miha Pihler [MVP]" wrote:
> Hi,
>
> Sorry, I tried this in my lab and I wasn't able to solve the problem (though
> I have in my mind that I did this some time ago for my customer).
> I will try few more things later today.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "cswarr" <cswarr@discussions.microsoft.com> wrote in message
> news:D1F633B5-316F-4734-847E-C026B17F9407@microsoft.com...
>
>
>
| |
| Miha Pihler [MVP] 2005-01-16, 5:49 pm |
| Sorry, but this will not work and could damage your working certiifcate on
the server.
--
Mike
Microsoft MVP - Windows Security
"cswarr" <cswarr@discussions.microsoft.com> wrote in message
news:8670D90F-ED6A-4EB3-BDE5-FA0204AF053C@microsoft.com...
> Thanks for your efforts. I had an idea...what if I remove the cert., then
> re-import it on server 1, which is where it is currently being used and
> was
> requested from? Maybe I can mark the private key as exportable during the
> re-import and then the private key export would work to server 2. Sound
> feasible?
<snip>
|
|
|
|
|