Sign in with
Sign up | Sign in
Your question

no option to export Certificate private key

Last response: in Windows 2000/NT
Share
Anonymous
August 31, 2004 1:11:04 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

I am new learning how to setup MS Certificate for Cisco VPN client. The MS
Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain. Cisco
VPN client is authenticated agains Cisco Radius Server which looks up the
external database from NT 4 domain.

VPN clients are able to request for a new certiicate from MS Certificate
server & logon successfully. BUT, what disappoints me is the generated
certificate from user's machine is not transferrable to another PC. My
preference is to prevent users to create their own certificate. I wish all
certificates to be created & controlled by the administrator. I can export
the certificate but I am unable to export the user's private key. I guess
that's the reason why the certificate is not transferrable between machines.
Am I right? But what's wrong with my configuration - why the option of
exporting the private key is not enabled?

Thanks heaps to whoever that can guide me from here.

Cheerrs.
Seekr01
Anonymous
August 31, 2004 8:45:27 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You would not want to export the certificates/private keys anyhow - they are issued
to computer names as shown on the certificate. You can control what computer get
certificates by enabling auto enroll at the OU level where you put the computers you
want to receive a machine certificate, even temporarily and you can also control what
computers receive certificates by configuring security on the certificate template in
AD Sites and Services where you have to select view/show services node first. Then
for example go to the machine template and view properties/security where you will
see that domain computers have the enroll permission.You could add domain computers
to a global group that you want to receive that certificate and replace domain
computers with your global group for enroll permissions. -- Steve


"seeker01" <seeker01@discussions.microsoft.com> wrote in message
news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
> Hi,
>
> I am new learning how to setup MS Certificate for Cisco VPN client. The MS
> Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain. Cisco
> VPN client is authenticated agains Cisco Radius Server which looks up the
> external database from NT 4 domain.
>
> VPN clients are able to request for a new certiicate from MS Certificate
> server & logon successfully. BUT, what disappoints me is the generated
> certificate from user's machine is not transferrable to another PC. My
> preference is to prevent users to create their own certificate. I wish all
> certificates to be created & controlled by the administrator. I can export
> the certificate but I am unable to export the user's private key. I guess
> that's the reason why the certificate is not transferrable between machines.
> Am I right? But what's wrong with my configuration - why the option of
> exporting the private key is not enabled?
>
> Thanks heaps to whoever that can guide me from here.
>
> Cheerrs.
> Seekr01
>
>
Anonymous
August 31, 2004 8:45:28 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Steve, Thanks very much for your assistance. If we can not export the private
key, does it mean the machine needs to request a new certificate if one day
it crashes hence needs rebuilt? I always treat the export function as some
sort of "backup/restore" purpose too - as I have seen many online documents
about exporting keys.
Rgds,
Seeker01
"Steven L Umbach" wrote:

> You would not want to export the certificates/private keys anyhow - they are issued
> to computer names as shown on the certificate. You can control what computer get
> certificates by enabling auto enroll at the OU level where you put the computers you
> want to receive a machine certificate, even temporarily and you can also control what
> computers receive certificates by configuring security on the certificate template in
> AD Sites and Services where you have to select view/show services node first. Then
> for example go to the machine template and view properties/security where you will
> see that domain computers have the enroll permission.You could add domain computers
> to a global group that you want to receive that certificate and replace domain
> computers with your global group for enroll permissions. -- Steve
>
>
> "seeker01" <seeker01@discussions.microsoft.com> wrote in message
> news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
> > Hi,
> >
> > I am new learning how to setup MS Certificate for Cisco VPN client. The MS
> > Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain. Cisco
> > VPN client is authenticated agains Cisco Radius Server which looks up the
> > external database from NT 4 domain.
> >
> > VPN clients are able to request for a new certiicate from MS Certificate
> > server & logon successfully. BUT, what disappoints me is the generated
> > certificate from user's machine is not transferrable to another PC. My
> > preference is to prevent users to create their own certificate. I wish all
> > certificates to be created & controlled by the administrator. I can export
> > the certificate but I am unable to export the user's private key. I guess
> > that's the reason why the certificate is not transferrable between machines.
> > Am I right? But what's wrong with my configuration - why the option of
> > exporting the private key is not enabled?
> >
> > Thanks heaps to whoever that can guide me from here.
> >
> > Cheerrs.
> > Seekr01
> >
> >
>
>
>
Related resources
Anonymous
August 31, 2004 8:08:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Few clarification questions:
1. How are you doing the enrollment?
2. What template are you using?


"seeker01" <seeker01@discussions.microsoft.com> wrote in message
news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
> Hi,
>
> I am new learning how to setup MS Certificate for Cisco VPN client. The MS
> Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain.
> Cisco
> VPN client is authenticated agains Cisco Radius Server which looks up the
> external database from NT 4 domain.
>
> VPN clients are able to request for a new certiicate from MS Certificate
> server & logon successfully. BUT, what disappoints me is the generated
> certificate from user's machine is not transferrable to another PC. My
> preference is to prevent users to create their own certificate. I wish all
> certificates to be created & controlled by the administrator. I can export
> the certificate but I am unable to export the user's private key. I guess
> that's the reason why the certificate is not transferrable between
> machines.
> Am I right? But what's wrong with my configuration - why the option of
> exporting the private key is not enabled?
>
> Thanks heaps to whoever that can guide me from here.
>
> Cheerrs.
> Seekr01
>
>
Anonymous
August 31, 2004 8:41:00 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Of course a full backup would be a way to restore your certificates. A
System State backup might backup machine certificates, I am not 100 percent
sure. Most certificates can simply be requested again if the machine crashes
and not cause a problem. The BIG exception that you may be referring to are
certificates used to encrypt and decrypt files such as for EFS. EFS private
keys are by default exportable to a password protected .pfx file and SHOULD
be exported because if a computer crashes and there are EFS files on it you
can lose permanent access to your ecrypted EFS files if you do not have the
original private key to restore to the operating system. --- Steve


"seeker01" <seeker01@discussions.microsoft.com> wrote in message
news:A70D3808-412D-44A9-A09B-98E1015975DD@microsoft.com...
> Steve, Thanks very much for your assistance. If we can not export the
private
> key, does it mean the machine needs to request a new certificate if one
day
> it crashes hence needs rebuilt? I always treat the export function as some
> sort of "backup/restore" purpose too - as I have seen many online
documents
> about exporting keys.
> Rgds,
> Seeker01
> "Steven L Umbach" wrote:
>
> > You would not want to export the certificates/private keys anyhow - they
are issued
> > to computer names as shown on the certificate. You can control what
computer get
> > certificates by enabling auto enroll at the OU level where you put the
computers you
> > want to receive a machine certificate, even temporarily and you can also
control what
> > computers receive certificates by configuring security on the
certificate template in
> > AD Sites and Services where you have to select view/show services node
first. Then
> > for example go to the machine template and view properties/security
where you will
> > see that domain computers have the enroll permission.You could add
domain computers
> > to a global group that you want to receive that certificate and replace
domain
> > computers with your global group for enroll permissions. -- Steve
> >
> >
> > "seeker01" <seeker01@discussions.microsoft.com> wrote in message
> > news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
> > > Hi,
> > >
> > > I am new learning how to setup MS Certificate for Cisco VPN client.
The MS
> > > Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain.
Cisco
> > > VPN client is authenticated agains Cisco Radius Server which looks up
the
> > > external database from NT 4 domain.
> > >
> > > VPN clients are able to request for a new certiicate from MS
Certificate
> > > server & logon successfully. BUT, what disappoints me is the generated
> > > certificate from user's machine is not transferrable to another PC. My
> > > preference is to prevent users to create their own certificate. I wish
all
> > > certificates to be created & controlled by the administrator. I can
export
> > > the certificate but I am unable to export the user's private key. I
guess
> > > that's the reason why the certificate is not transferrable between
machines.
> > > Am I right? But what's wrong with my configuration - why the option of
> > > exporting the private key is not enabled?
> > >
> > > Thanks heaps to whoever that can guide me from here.
> > >
> > > Cheerrs.
> > > Seekr01
> > >
> > >
> >
> >
> >
Anonymous
August 31, 2004 8:49:11 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Avi,

Thanks for helping. To answer your questions:

1/ At the moment, Cisco VPN users request for new certificate themselves via
http access. (this is not my preferred approach because I would prefer
administrator to create and export user certificate with the private key -
but until I understand why the option to export private key is not enabled, I
can not implement this method)

2/ I am using IPSEC (offline) template. I use IPSEC template because I am
using its Department field as the unique identifier that matches the group
policy that I have set on my Cisco VPN concentrator.

Please note that :-
1/ Cisco VPN users are member of NT 4 domain members, not Win2K AD. MS
Certificate server is built on AD with 1 way trust established. Is that why
"export private key" not enabled?
2/ Some Cisco VPN users are not member of NT 4 domain members but Cisco
Radius users. The reason being they are external vendors, not our network
users.

Question:
Is there a way (like any hotfixes) to enable the option to "export private
key"?

Thanks.

"Avi Ben-Menahem [MSFT]" wrote:

> Few clarification questions:
> 1. How are you doing the enrollment?
> 2. What template are you using?
>
>
> "seeker01" <seeker01@discussions.microsoft.com> wrote in message
> news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
> > Hi,
> >
> > I am new learning how to setup MS Certificate for Cisco VPN client. The MS
> > Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain.
> > Cisco
> > VPN client is authenticated agains Cisco Radius Server which looks up the
> > external database from NT 4 domain.
> >
> > VPN clients are able to request for a new certiicate from MS Certificate
> > server & logon successfully. BUT, what disappoints me is the generated
> > certificate from user's machine is not transferrable to another PC. My
> > preference is to prevent users to create their own certificate. I wish all
> > certificates to be created & controlled by the administrator. I can export
> > the certificate but I am unable to export the user's private key. I guess
> > that's the reason why the certificate is not transferrable between
> > machines.
> > Am I right? But what's wrong with my configuration - why the option of
> > exporting the private key is not enabled?
> >
> > Thanks heaps to whoever that can guide me from here.
> >
> > Cheerrs.
> > Seekr01
> >
> >
>
>
>
Anonymous
August 31, 2004 10:59:14 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Dear all,

I knew how to enable the export option now. Thanks very much for your help.

Rgs,Seeker01

"seeker01" wrote:

> Hi Avi,
>
> Thanks for helping. To answer your questions:
>
> 1/ At the moment, Cisco VPN users request for new certificate themselves via
> http access. (this is not my preferred approach because I would prefer
> administrator to create and export user certificate with the private key -
> but until I understand why the option to export private key is not enabled, I
> can not implement this method)
>
> 2/ I am using IPSEC (offline) template. I use IPSEC template because I am
> using its Department field as the unique identifier that matches the group
> policy that I have set on my Cisco VPN concentrator.
>
> Please note that :-
> 1/ Cisco VPN users are member of NT 4 domain members, not Win2K AD. MS
> Certificate server is built on AD with 1 way trust established. Is that why
> "export private key" not enabled?
> 2/ Some Cisco VPN users are not member of NT 4 domain members but Cisco
> Radius users. The reason being they are external vendors, not our network
> users.
>
> Question:
> Is there a way (like any hotfixes) to enable the option to "export private
> key"?
>
> Thanks.
>
> "Avi Ben-Menahem [MSFT]" wrote:
>
> > Few clarification questions:
> > 1. How are you doing the enrollment?
> > 2. What template are you using?
> >
> >
> > "seeker01" <seeker01@discussions.microsoft.com> wrote in message
> > news:2B7AE050-0917-4779-8876-42F8CF4AFA33@microsoft.com...
> > > Hi,
> > >
> > > I am new learning how to setup MS Certificate for Cisco VPN client. The MS
> > > Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain.
> > > Cisco
> > > VPN client is authenticated agains Cisco Radius Server which looks up the
> > > external database from NT 4 domain.
> > >
> > > VPN clients are able to request for a new certiicate from MS Certificate
> > > server & logon successfully. BUT, what disappoints me is the generated
> > > certificate from user's machine is not transferrable to another PC. My
> > > preference is to prevent users to create their own certificate. I wish all
> > > certificates to be created & controlled by the administrator. I can export
> > > the certificate but I am unable to export the user's private key. I guess
> > > that's the reason why the certificate is not transferrable between
> > > machines.
> > > Am I right? But what's wrong with my configuration - why the option of
> > > exporting the private key is not enabled?
> > >
> > > Thanks heaps to whoever that can guide me from here.
> > >
> > > Cheerrs.
> > > Seekr01
> > >
> > >
> >
> >
> >
!