no option to export Certificate private key

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I am new learning how to setup MS Certificate for Cisco VPN client. The MS
Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain. Cisco
VPN client is authenticated agains Cisco Radius Server which looks up the
external database from NT 4 domain.

VPN clients are able to request for a new certiicate from MS Certificate
server & logon successfully. BUT, what disappoints me is the generated
certificate from user's machine is not transferrable to another PC. My
preference is to prevent users to create their own certificate. I wish all
certificates to be created & controlled by the administrator. I can export
the certificate but I am unable to export the user's private key. I guess
that's the reason why the certificate is not transferrable between machines.
Am I right? But what's wrong with my configuration - why the option of
exporting the private key is not enabled?

Thanks heaps to whoever that can guide me from here.

Cheerrs.
Seekr01
6 answers Last reply
More about option export certificate private
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You would not want to export the certificates/private keys anyhow - they are issued
    to computer names as shown on the certificate. You can control what computer get
    certificates by enabling auto enroll at the OU level where you put the computers you
    want to receive a machine certificate, even temporarily and you can also control what
    computers receive certificates by configuring security on the certificate template in
    AD Sites and Services where you have to select view/show services node first. Then
    for example go to the machine template and view properties/security where you will
    see that domain computers have the enroll permission.You could add domain computers
    to a global group that you want to receive that certificate and replace domain
    computers with your global group for enroll permissions. -- Steve


    "seeker01" <seeker01@discussions.microsoft.com> wrote in message
    news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
    > Hi,
    >
    > I am new learning how to setup MS Certificate for Cisco VPN client. The MS
    > Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain. Cisco
    > VPN client is authenticated agains Cisco Radius Server which looks up the
    > external database from NT 4 domain.
    >
    > VPN clients are able to request for a new certiicate from MS Certificate
    > server & logon successfully. BUT, what disappoints me is the generated
    > certificate from user's machine is not transferrable to another PC. My
    > preference is to prevent users to create their own certificate. I wish all
    > certificates to be created & controlled by the administrator. I can export
    > the certificate but I am unable to export the user's private key. I guess
    > that's the reason why the certificate is not transferrable between machines.
    > Am I right? But what's wrong with my configuration - why the option of
    > exporting the private key is not enabled?
    >
    > Thanks heaps to whoever that can guide me from here.
    >
    > Cheerrs.
    > Seekr01
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Steve, Thanks very much for your assistance. If we can not export the private
    key, does it mean the machine needs to request a new certificate if one day
    it crashes hence needs rebuilt? I always treat the export function as some
    sort of "backup/restore" purpose too - as I have seen many online documents
    about exporting keys.
    Rgds,
    Seeker01
    "Steven L Umbach" wrote:

    > You would not want to export the certificates/private keys anyhow - they are issued
    > to computer names as shown on the certificate. You can control what computer get
    > certificates by enabling auto enroll at the OU level where you put the computers you
    > want to receive a machine certificate, even temporarily and you can also control what
    > computers receive certificates by configuring security on the certificate template in
    > AD Sites and Services where you have to select view/show services node first. Then
    > for example go to the machine template and view properties/security where you will
    > see that domain computers have the enroll permission.You could add domain computers
    > to a global group that you want to receive that certificate and replace domain
    > computers with your global group for enroll permissions. -- Steve
    >
    >
    > "seeker01" <seeker01@discussions.microsoft.com> wrote in message
    > news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
    > > Hi,
    > >
    > > I am new learning how to setup MS Certificate for Cisco VPN client. The MS
    > > Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain. Cisco
    > > VPN client is authenticated agains Cisco Radius Server which looks up the
    > > external database from NT 4 domain.
    > >
    > > VPN clients are able to request for a new certiicate from MS Certificate
    > > server & logon successfully. BUT, what disappoints me is the generated
    > > certificate from user's machine is not transferrable to another PC. My
    > > preference is to prevent users to create their own certificate. I wish all
    > > certificates to be created & controlled by the administrator. I can export
    > > the certificate but I am unable to export the user's private key. I guess
    > > that's the reason why the certificate is not transferrable between machines.
    > > Am I right? But what's wrong with my configuration - why the option of
    > > exporting the private key is not enabled?
    > >
    > > Thanks heaps to whoever that can guide me from here.
    > >
    > > Cheerrs.
    > > Seekr01
    > >
    > >
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Few clarification questions:
    1. How are you doing the enrollment?
    2. What template are you using?


    "seeker01" <seeker01@discussions.microsoft.com> wrote in message
    news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
    > Hi,
    >
    > I am new learning how to setup MS Certificate for Cisco VPN client. The MS
    > Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain.
    > Cisco
    > VPN client is authenticated agains Cisco Radius Server which looks up the
    > external database from NT 4 domain.
    >
    > VPN clients are able to request for a new certiicate from MS Certificate
    > server & logon successfully. BUT, what disappoints me is the generated
    > certificate from user's machine is not transferrable to another PC. My
    > preference is to prevent users to create their own certificate. I wish all
    > certificates to be created & controlled by the administrator. I can export
    > the certificate but I am unable to export the user's private key. I guess
    > that's the reason why the certificate is not transferrable between
    > machines.
    > Am I right? But what's wrong with my configuration - why the option of
    > exporting the private key is not enabled?
    >
    > Thanks heaps to whoever that can guide me from here.
    >
    > Cheerrs.
    > Seekr01
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Of course a full backup would be a way to restore your certificates. A
    System State backup might backup machine certificates, I am not 100 percent
    sure. Most certificates can simply be requested again if the machine crashes
    and not cause a problem. The BIG exception that you may be referring to are
    certificates used to encrypt and decrypt files such as for EFS. EFS private
    keys are by default exportable to a password protected .pfx file and SHOULD
    be exported because if a computer crashes and there are EFS files on it you
    can lose permanent access to your ecrypted EFS files if you do not have the
    original private key to restore to the operating system. --- Steve


    "seeker01" <seeker01@discussions.microsoft.com> wrote in message
    news:A70D3808-412D-44A9-A09B-98E1015975DD@microsoft.com...
    > Steve, Thanks very much for your assistance. If we can not export the
    private
    > key, does it mean the machine needs to request a new certificate if one
    day
    > it crashes hence needs rebuilt? I always treat the export function as some
    > sort of "backup/restore" purpose too - as I have seen many online
    documents
    > about exporting keys.
    > Rgds,
    > Seeker01
    > "Steven L Umbach" wrote:
    >
    > > You would not want to export the certificates/private keys anyhow - they
    are issued
    > > to computer names as shown on the certificate. You can control what
    computer get
    > > certificates by enabling auto enroll at the OU level where you put the
    computers you
    > > want to receive a machine certificate, even temporarily and you can also
    control what
    > > computers receive certificates by configuring security on the
    certificate template in
    > > AD Sites and Services where you have to select view/show services node
    first. Then
    > > for example go to the machine template and view properties/security
    where you will
    > > see that domain computers have the enroll permission.You could add
    domain computers
    > > to a global group that you want to receive that certificate and replace
    domain
    > > computers with your global group for enroll permissions. -- Steve
    > >
    > >
    > > "seeker01" <seeker01@discussions.microsoft.com> wrote in message
    > > news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
    > > > Hi,
    > > >
    > > > I am new learning how to setup MS Certificate for Cisco VPN client.
    The MS
    > > > Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain.
    Cisco
    > > > VPN client is authenticated agains Cisco Radius Server which looks up
    the
    > > > external database from NT 4 domain.
    > > >
    > > > VPN clients are able to request for a new certiicate from MS
    Certificate
    > > > server & logon successfully. BUT, what disappoints me is the generated
    > > > certificate from user's machine is not transferrable to another PC. My
    > > > preference is to prevent users to create their own certificate. I wish
    all
    > > > certificates to be created & controlled by the administrator. I can
    export
    > > > the certificate but I am unable to export the user's private key. I
    guess
    > > > that's the reason why the certificate is not transferrable between
    machines.
    > > > Am I right? But what's wrong with my configuration - why the option of
    > > > exporting the private key is not enabled?
    > > >
    > > > Thanks heaps to whoever that can guide me from here.
    > > >
    > > > Cheerrs.
    > > > Seekr01
    > > >
    > > >
    > >
    > >
    > >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Avi,

    Thanks for helping. To answer your questions:

    1/ At the moment, Cisco VPN users request for new certificate themselves via
    http access. (this is not my preferred approach because I would prefer
    administrator to create and export user certificate with the private key -
    but until I understand why the option to export private key is not enabled, I
    can not implement this method)

    2/ I am using IPSEC (offline) template. I use IPSEC template because I am
    using its Department field as the unique identifier that matches the group
    policy that I have set on my Cisco VPN concentrator.

    Please note that :-
    1/ Cisco VPN users are member of NT 4 domain members, not Win2K AD. MS
    Certificate server is built on AD with 1 way trust established. Is that why
    "export private key" not enabled?
    2/ Some Cisco VPN users are not member of NT 4 domain members but Cisco
    Radius users. The reason being they are external vendors, not our network
    users.

    Question:
    Is there a way (like any hotfixes) to enable the option to "export private
    key"?

    Thanks.

    "Avi Ben-Menahem [MSFT]" wrote:

    > Few clarification questions:
    > 1. How are you doing the enrollment?
    > 2. What template are you using?
    >
    >
    > "seeker01" <seeker01@discussions.microsoft.com> wrote in message
    > news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
    > > Hi,
    > >
    > > I am new learning how to setup MS Certificate for Cisco VPN client. The MS
    > > Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain.
    > > Cisco
    > > VPN client is authenticated agains Cisco Radius Server which looks up the
    > > external database from NT 4 domain.
    > >
    > > VPN clients are able to request for a new certiicate from MS Certificate
    > > server & logon successfully. BUT, what disappoints me is the generated
    > > certificate from user's machine is not transferrable to another PC. My
    > > preference is to prevent users to create their own certificate. I wish all
    > > certificates to be created & controlled by the administrator. I can export
    > > the certificate but I am unable to export the user's private key. I guess
    > > that's the reason why the certificate is not transferrable between
    > > machines.
    > > Am I right? But what's wrong with my configuration - why the option of
    > > exporting the private key is not enabled?
    > >
    > > Thanks heaps to whoever that can guide me from here.
    > >
    > > Cheerrs.
    > > Seekr01
    > >
    > >
    >
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Dear all,

    I knew how to enable the export option now. Thanks very much for your help.

    Rgs,Seeker01

    "seeker01" wrote:

    > Hi Avi,
    >
    > Thanks for helping. To answer your questions:
    >
    > 1/ At the moment, Cisco VPN users request for new certificate themselves via
    > http access. (this is not my preferred approach because I would prefer
    > administrator to create and export user certificate with the private key -
    > but until I understand why the option to export private key is not enabled, I
    > can not implement this method)
    >
    > 2/ I am using IPSEC (offline) template. I use IPSEC template because I am
    > using its Department field as the unique identifier that matches the group
    > policy that I have set on my Cisco VPN concentrator.
    >
    > Please note that :-
    > 1/ Cisco VPN users are member of NT 4 domain members, not Win2K AD. MS
    > Certificate server is built on AD with 1 way trust established. Is that why
    > "export private key" not enabled?
    > 2/ Some Cisco VPN users are not member of NT 4 domain members but Cisco
    > Radius users. The reason being they are external vendors, not our network
    > users.
    >
    > Question:
    > Is there a way (like any hotfixes) to enable the option to "export private
    > key"?
    >
    > Thanks.
    >
    > "Avi Ben-Menahem [MSFT]" wrote:
    >
    > > Few clarification questions:
    > > 1. How are you doing the enrollment?
    > > 2. What template are you using?
    > >
    > >
    > > "seeker01" <seeker01@discussions.microsoft.com> wrote in message
    > > news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
    > > > Hi,
    > > >
    > > > I am new learning how to setup MS Certificate for Cisco VPN client. The MS
    > > > Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain.
    > > > Cisco
    > > > VPN client is authenticated agains Cisco Radius Server which looks up the
    > > > external database from NT 4 domain.
    > > >
    > > > VPN clients are able to request for a new certiicate from MS Certificate
    > > > server & logon successfully. BUT, what disappoints me is the generated
    > > > certificate from user's machine is not transferrable to another PC. My
    > > > preference is to prevent users to create their own certificate. I wish all
    > > > certificates to be created & controlled by the administrator. I can export
    > > > the certificate but I am unable to export the user's private key. I guess
    > > > that's the reason why the certificate is not transferrable between
    > > > machines.
    > > > Am I right? But what's wrong with my configuration - why the option of
    > > > exporting the private key is not enabled?
    > > >
    > > > Thanks heaps to whoever that can guide me from here.
    > > >
    > > > Cheerrs.
    > > > Seekr01
    > > >
    > > >
    > >
    > >
    > >
Ask a new question

Read More

vpn Cisco Certificate Windows