| Groups | Blog | Home |
iis security : Private & Public Key storage location
when I configure IIS server on a windows 2000 or 2003 server to use the ssl protocol, I have to make a certificate request, during which the web site generates a Key pair (public & private). My public key is sent to the CA alomg with my certificate request. I wish to know where is my web site key pair stored on my local system. Can I also see the public key & is it possible to have both this keys copied to a desired location as a backup.
You only send the request file to CA. CA will then issue you the cert with
both private and public key. To back it up, export the key (including private) and safe guard the file, refer HOW TO: Back Up a Server Certificate in Internet Information Services 5.0 http://support.microsoft.com/?id=232136 -- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "Vicky" <Vicky@discussions.microsoft.com> wrote in message news:322F8088-D472-487F-8F30-F1616EFCD995@microsoft.com... > hi, > > when I configure IIS server on a windows 2000 or 2003 server to use the > ssl > protocol, I have to make a certificate request, during which the web site > generates a Key pair (public & private). > > My public key is sent to the CA alomg with my certificate request. > I wish to know where is my web site key pair stored on my local system. > Can > I also see the public key & is it possible to have both this keys copied > to a > desired location as a backup. > > > Vicky
I am shocked to here that it is the CA who generates the Private & public key
(Key Pair) for my own website. You seem to have shattered my understanding of the whole process. How can my private ley be a private affair if the CA generates it for me (my website). I think I need to build more clarity of the whole process. Maybe I have wrong ideas. [quoted text, click to view] "Bernard Cheah [MVP]" wrote:
> You only send the request file to CA. CA will then issue you the cert with > both private and public key. > > To back it up, export the key (including private) and safe guard the file, > refer > HOW TO: Back Up a Server Certificate in Internet Information Services 5.0 > http://support.microsoft.com/?id=232136 > > > > -- > Regards, > Bernard Cheah > http://www.iis.net/ > http://www.iis-resources.com/ > http://msmvps.com/blogs/bernard/ > > > "Vicky" <Vicky@discussions.microsoft.com> wrote in message > news:322F8088-D472-487F-8F30-F1616EFCD995@microsoft.com... > > hi, > > > > when I configure IIS server on a windows 2000 or 2003 server to use the > > ssl > > protocol, I have to make a certificate request, during which the web site > > generates a Key pair (public & private). > > > > My public key is sent to the CA alomg with my certificate request. > > I wish to know where is my web site key pair stored on my local system. > > Can > > I also see the public key & is it possible to have both this keys copied > > to a > > desired location as a backup. > > > > > > Vicky > >
Dear Bernard,
I have read all that stuff at the links you are refering to. The pages on MS wesite lack clarity & I have wrote a comment to them such as 1] Under the section "Obtain a Certificate" "......The CSR is simply an encrypted text message that is encrypted with a public/private key pair." Now could it be made clear A] if the website generates a Keypair of its own before it creates the CSR B] How can the CSR be encrypted by Public/private key both at the same time? C] Is it that the CSR contains both the private & public keys of the website? What is true & presice ? [quoted text, click to view] "Bernard Cheah [MVP]" wrote:
> Read - > How To Enable SSL for All Customers Who Interact with Your Web Site in > Internet Information Services > http://support.microsoft.com/?id=298805 > > that's why typically - we have trusted CA list in browser that we can trust. > > -- > Regards, > Bernard Cheah > http://www.iis.net/ > http://www.iis-resources.com/ > http://msmvps.com/blogs/bernard/ > > > "Vicky" <Vicky@discussions.microsoft.com> wrote in message > news:90DB2326-7C0B-4457-91CD-2E7ABC1828FB@microsoft.com... > >I am shocked to here that it is the CA who generates the Private & public > >key > > (Key Pair) for my own website. > > You seem to have shattered my understanding of the whole process. How can > > my > > private ley be a private affair if the CA generates it for me (my > > website). > > I think I need to build more clarity of the whole process. Maybe I have > > wrong ideas. > > > > "Bernard Cheah [MVP]" wrote: > > > >> You only send the request file to CA. CA will then issue you the cert > >> with > >> both private and public key. > >> > >> To back it up, export the key (including private) and safe guard the > >> file, > >> refer > >> HOW TO: Back Up a Server Certificate in Internet Information Services 5.0 > >> http://support.microsoft.com/?id=232136 > >> > >> > >> > >> -- > >> Regards, > >> Bernard Cheah > >> http://www.iis.net/ > >> http://www.iis-resources.com/ > >> http://msmvps.com/blogs/bernard/ > >> > >> > >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message > >> news:322F8088-D472-487F-8F30-F1616EFCD995@microsoft.com... > >> > hi, > >> > > >> > when I configure IIS server on a windows 2000 or 2003 server to use the > >> > ssl > >> > protocol, I have to make a certificate request, during which the web > >> > site > >> > generates a Key pair (public & private). > >> > > >> > My public key is sent to the CA alomg with my certificate request. > >> > I wish to know where is my web site key pair stored on my local system. > >> > Can > >> > I also see the public key & is it possible to have both this keys > >> > copied > >> > to a > >> > desired location as a backup. > >> > > >> > > >> > Vicky > >> > >> > >> > >
Read -
How To Enable SSL for All Customers Who Interact with Your Web Site in Internet Information Services http://support.microsoft.com/?id=298805 that's why typically - we have trusted CA list in browser that we can trust. -- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "Vicky" <Vicky@discussions.microsoft.com> wrote in message news:90DB2326-7C0B-4457-91CD-2E7ABC1828FB@microsoft.com... >I am shocked to here that it is the CA who generates the Private & public >key > (Key Pair) for my own website. > You seem to have shattered my understanding of the whole process. How can > my > private ley be a private affair if the CA generates it for me (my > website). > I think I need to build more clarity of the whole process. Maybe I have > wrong ideas. > > "Bernard Cheah [MVP]" wrote: > >> You only send the request file to CA. CA will then issue you the cert >> with >> both private and public key. >> >> To back it up, export the key (including private) and safe guard the >> file, >> refer >> HOW TO: Back Up a Server Certificate in Internet Information Services 5.0 >> http://support.microsoft.com/?id=232136 >> >> >> >> -- >> Regards, >> Bernard Cheah >> http://www.iis.net/ >> http://www.iis-resources.com/ >> http://msmvps.com/blogs/bernard/ >> >> >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message >> news:322F8088-D472-487F-8F30-F1616EFCD995@microsoft.com... >> > hi, >> > >> > when I configure IIS server on a windows 2000 or 2003 server to use the >> > ssl >> > protocol, I have to make a certificate request, during which the web >> > site >> > generates a Key pair (public & private). >> > >> > My public key is sent to the CA alomg with my certificate request. >> > I wish to know where is my web site key pair stored on my local system. >> > Can >> > I also see the public key & is it possible to have both this keys >> > copied >> > to a >> > desired location as a backup. >> > >> > >> > Vicky >> >> >>
Dear Bernard,
As you say " To me, the issued cert from a trusted CA, contains both public/private keys." I would like to ask the following. A] If the cert from a CA contains both public/private key & the cert is then installed for your website, it will be sent to all the clients who connect to that website. This way, the private key of the website is revealed to the client & the purpose of achieving transaction level security is defeated. B] If the CA is going to generate/derive/create a private key for my web site, then what is private about the private key? I think the private key for my website is & should only be know to my website & not to anyone else, not even the CA. C] I believe that a website cert contains the following important components embedded (Correct me if I am wrong) 1] Issued to 2] issued by 3] validity 4] purpose 5] digital signature of CA 6] public key of the website Regards Vicky [quoted text, click to view] "Bernard Cheah [MVP]" wrote:
> Well, I guessed it all depends on the discussion context. > Typically - CSR is encoded ASCII text with requested identification of the > computer, you can 'said' that public key is there, yes it is there, you can > also 'said' private key is also there, coz it will 'derive' or 'generate' > from it by the CA. > > In normal context, typically CSR don't associate with public or private > keys, because you can't really use it yet. > It will become 'valid' once the CA has signed and generate the real > certificate, then the concept of public/private key popup. > I hope I didn't confuse you, I mean you can't really don't anything with the > so called 'keys' with the CSR. > > Keys is only valid when the cert is issued. now - > > A] if the website generates a Keypair of its own before it creates the CSR > >> that's part of the CSR process, to the point here the key is useless > >> until the cert is installed > > > B] How can the CSR be encrypted by Public/private key both at the same > > time? > >> it is not encrypted, just encode. > > > C] Is it that the CSR contains both the private & public keys of the > > website? > >> again depend on how you actually see it. To me, the issued cert from a > >> trusted CA, contains both public/private keys. > > -- > Regards, > Bernard Cheah > http://www.iis.net/ > http://www.iis-resources.com/ > http://msmvps.com/blogs/bernard/ > > > "Vicky" <Vicky@discussions.microsoft.com> wrote in message > news:B3052C4A-3501-4B71-8FE5-515089606B2C@microsoft.com... > > Dear Bernard, > > > > I have read all that stuff at the links you are refering to. > > The pages on MS wesite lack clarity & I have wrote a comment to them such > > as > > > > 1] Under the section > > > > "Obtain a Certificate" > > "......The CSR is simply an encrypted text message that is encrypted with > > a > > public/private key pair." > > > > Now could it be made clear > > A] if the website generates a Keypair of its own before it creates the CSR > > B] How can the CSR be encrypted by Public/private key both at the same > > time? > > C] Is it that the CSR contains both the private & public keys of the > > website? > > > > What is true & presice ? > > > > > > "Bernard Cheah [MVP]" wrote: > > > >> Read - > >> How To Enable SSL for All Customers Who Interact with Your Web Site in > >> Internet Information Services > >> http://support.microsoft.com/?id=298805 > >> > >> that's why typically - we have trusted CA list in browser that we can > >> trust. > >> > >> -- > >> Regards, > >> Bernard Cheah > >> http://www.iis.net/ > >> http://www.iis-resources.com/ > >> http://msmvps.com/blogs/bernard/ > >> > >> > >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message > >> news:90DB2326-7C0B-4457-91CD-2E7ABC1828FB@microsoft.com... > >> >I am shocked to here that it is the CA who generates the Private & > >> >public > >> >key > >> > (Key Pair) for my own website. > >> > You seem to have shattered my understanding of the whole process. How > >> > can > >> > my > >> > private ley be a private affair if the CA generates it for me (my > >> > website). > >> > I think I need to build more clarity of the whole process. Maybe I have > >> > wrong ideas. > >> > > >> > "Bernard Cheah [MVP]" wrote: > >> > > >> >> You only send the request file to CA. CA will then issue you the cert > >> >> with > >> >> both private and public key. > >> >> > >> >> To back it up, export the key (including private) and safe guard the > >> >> file, > >> >> refer > >> >> HOW TO: Back Up a Server Certificate in Internet Information Services > >> >> 5.0 > >> >> http://support.microsoft.com/?id=232136 > >> >> > >> >> > >> >> > >> >> -- > >> >> Regards, > >> >> Bernard Cheah > >> >> http://www.iis.net/ > >> >> http://www.iis-resources.com/ > >> >> http://msmvps.com/blogs/bernard/ > >> >> > >> >> > >> >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message > >> >> news:322F8088-D472-487F-8F30-F1616EFCD995@microsoft.com... > >> >> > hi, > >> >> > > >> >> > when I configure IIS server on a windows 2000 or 2003 server to use > >> >> > the > >> >> > ssl > >> >> > protocol, I have to make a certificate request, during which the web > >> >> > site > >> >> > generates a Key pair (public & private). > >> >> > > >> >> > My public key is sent to the CA alomg with my certificate request. > >> >> > I wish to know where is my web site key pair stored on my local > >> >> > system. > >> >> > Can > >> >> > I also see the public key & is it possible to have both this keys > >> >> > copied > >> >> > to a > >> >> > desired location as a backup. > >> >> > > >> >> > > >> >> > Vicky > >> >> > >> >> > >> >> > >> > >> > >> > >
Well, I guessed it all depends on the discussion context.
Typically - CSR is encoded ASCII text with requested identification of the computer, you can 'said' that public key is there, yes it is there, you can also 'said' private key is also there, coz it will 'derive' or 'generate' from it by the CA. In normal context, typically CSR don't associate with public or private keys, because you can't really use it yet. It will become 'valid' once the CA has signed and generate the real certificate, then the concept of public/private key popup. I hope I didn't confuse you, I mean you can't really don't anything with the so called 'keys' with the CSR. Keys is only valid when the cert is issued. now - [quoted text, click to view] > A] if the website generates a Keypair of its own before it creates the CSR >> that's part of the CSR process, to the point here the key is useless >> until the cert is installed > B] How can the CSR be encrypted by Public/private key both at the same > time? >> it is not encrypted, just encode. > C] Is it that the CSR contains both the private & public keys of the > website? >> again depend on how you actually see it. To me, the issued cert from a >> trusted CA, contains both public/private keys. -- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "Vicky" <Vicky@discussions.microsoft.com> wrote in message news:B3052C4A-3501-4B71-8FE5-515089606B2C@microsoft.com... > Dear Bernard, > > I have read all that stuff at the links you are refering to. > The pages on MS wesite lack clarity & I have wrote a comment to them such > as > > 1] Under the section > > "Obtain a Certificate" > "......The CSR is simply an encrypted text message that is encrypted with > a > public/private key pair." > > Now could it be made clear > A] if the website generates a Keypair of its own before it creates the CSR > B] How can the CSR be encrypted by Public/private key both at the same > time? > C] Is it that the CSR contains both the private & public keys of the > website? > > What is true & presice ? > > > "Bernard Cheah [MVP]" wrote: > >> Read - >> How To Enable SSL for All Customers Who Interact with Your Web Site in >> Internet Information Services >> http://support.microsoft.com/?id=298805 >> >> that's why typically - we have trusted CA list in browser that we can >> trust. >> >> -- >> Regards, >> Bernard Cheah >> http://www.iis.net/ >> http://www.iis-resources.com/ >> http://msmvps.com/blogs/bernard/ >> >> >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message >> news:90DB2326-7C0B-4457-91CD-2E7ABC1828FB@microsoft.com... >> >I am shocked to here that it is the CA who generates the Private & >> >public >> >key >> > (Key Pair) for my own website. >> > You seem to have shattered my understanding of the whole process. How >> > can >> > my >> > private ley be a private affair if the CA generates it for me (my >> > website). >> > I think I need to build more clarity of the whole process. Maybe I have >> > wrong ideas. >> > >> > "Bernard Cheah [MVP]" wrote: >> > >> >> You only send the request file to CA. CA will then issue you the cert >> >> with >> >> both private and public key. >> >> >> >> To back it up, export the key (including private) and safe guard the >> >> file, >> >> refer >> >> HOW TO: Back Up a Server Certificate in Internet Information Services >> >> 5.0 >> >> http://support.microsoft.com/?id=232136 >> >> >> >> >> >> >> >> -- >> >> Regards, >> >> Bernard Cheah >> >> http://www.iis.net/ >> >> http://www.iis-resources.com/ >> >> http://msmvps.com/blogs/bernard/ >> >> >> >> >> >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message >> >> news:322F8088-D472-487F-8F30-F1616EFCD995@microsoft.com... >> >> > hi, >> >> > >> >> > when I configure IIS server on a windows 2000 or 2003 server to use >> >> > the >> >> > ssl >> >> > protocol, I have to make a certificate request, during which the web >> >> > site >> >> > generates a Key pair (public & private). >> >> > >> >> > My public key is sent to the CA alomg with my certificate request. >> >> > I wish to know where is my web site key pair stored on my local >> >> > system. >> >> > Can >> >> > I also see the public key & is it possible to have both this keys >> >> > copied >> >> > to a >> >> > desired location as a backup. >> >> > >> >> > >> >> > Vicky >> >> >> >> >> >> >> >> >>
Alright -
a) when client connect to the SSL site, this is what's going on. Keys are NOT sent, it just uses to encrypt and decrypt. client use the public key to encrypt and server uses its private keys to decode. Description of the Secure Sockets Layer (SSL) Handshake http://support.microsoft.com/?id=257591 b) CA will need to sign it and the generate it. and they have to be trusted. Keyword is 'trusted'. When you got the server cert file, it containts both public and private keys. You will see 'You have the private key that corresponds to this certiticate' when you view the cert. c) Yes, and if that's the server cert issued from CA for your host server authentication, it will has the private key as well. not to forgot some other detail like the key usage (server or client auth), version, etc. -- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:10DCF32E-7956-4260-937A-255FA1E97B2E@microsoft.com... > Dear Bernard, > > As you say " To me, the issued cert from a trusted CA, contains both > public/private keys." > > I would like to ask the following. > > A] If the cert from a CA contains both public/private key & the cert is > then > installed for your website, it will be sent to all the clients who connect > to > that website. This way, the private key of the website is revealed to the > client & the purpose of achieving transaction level security is defeated. > > B] If the CA is going to generate/derive/create a private key for my web > site, then what is private about the private key? I think the private key > for > my website is & should only be know to my website & not to anyone else, > not > even the CA. > > C] I believe that a website cert contains the following important > components > embedded (Correct me if I am wrong) > 1] Issued to 2] issued by 3] validity 4] purpose 5] digital signature of > CA > 6] public key of the website > > Regards > > Vicky > > "Bernard Cheah [MVP]" wrote: > >> Well, I guessed it all depends on the discussion context. >> Typically - CSR is encoded ASCII text with requested identification of >> the >> computer, you can 'said' that public key is there, yes it is there, you >> can >> also 'said' private key is also there, coz it will 'derive' or 'generate' >> from it by the CA. >> >> In normal context, typically CSR don't associate with public or private >> keys, because you can't really use it yet. >> It will become 'valid' once the CA has signed and generate the real >> certificate, then the concept of public/private key popup. >> I hope I didn't confuse you, I mean you can't really don't anything with >> the >> so called 'keys' with the CSR. >> >> Keys is only valid when the cert is issued. now - >> > A] if the website generates a Keypair of its own before it creates the >> > CSR >> >> that's part of the CSR process, to the point here the key is useless >> >> until the cert is installed >> >> > B] How can the CSR be encrypted by Public/private key both at the same >> > time? >> >> it is not encrypted, just encode. >> >> > C] Is it that the CSR contains both the private & public keys of the >> > website? >> >> again depend on how you actually see it. To me, the issued cert from a >> >> trusted CA, contains both public/private keys. >> >> -- >> Regards, >> Bernard Cheah >> http://www.iis.net/ >> http://www.iis-resources.com/ >> http://msmvps.com/blogs/bernard/ >> >> >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message >> news:B3052C4A-3501-4B71-8FE5-515089606B2C@microsoft.com... >> > Dear Bernard, >> > >> > I have read all that stuff at the links you are refering to. >> > The pages on MS wesite lack clarity & I have wrote a comment to them >> > such >> > as >> > >> > 1] Under the section >> > >> > "Obtain a Certificate" >> > "......The CSR is simply an encrypted text message that is encrypted >> > with >> > a >> > public/private key pair." >> > >> > Now could it be made clear >> > A] if the website generates a Keypair of its own before it creates the >> > CSR >> > B] How can the CSR be encrypted by Public/private key both at the same >> > time? >> > C] Is it that the CSR contains both the private & public keys of the >> > website? >> > >> > What is true & presice ? >> > >> > >> > "Bernard Cheah [MVP]" wrote: >> > >> >> Read - >> >> How To Enable SSL for All Customers Who Interact with Your Web Site in >> >> Internet Information Services >> >> http://support.microsoft.com/?id=298805 >> >> >> >> that's why typically - we have trusted CA list in browser that we can >> >> trust. >> >> >> >> -- >> >> Regards, >> >> Bernard Cheah >> >> http://www.iis.net/ >> >> http://www.iis-resources.com/ >> >> http://msmvps.com/blogs/bernard/ >> >> >> >> >> >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message >> >> news:90DB2326-7C0B-4457-91CD-2E7ABC1828FB@microsoft.com... >> >> >I am shocked to here that it is the CA who generates the Private & >> >> >public >> >> >key >> >> > (Key Pair) for my own website. >> >> > You seem to have shattered my understanding of the whole process. >> >> > How >> >> > can >> >> > my >> >> > private ley be a private affair if the CA generates it for me (my >> >> > website). >> >> > I think I need to build more clarity of the whole process. Maybe I >> >> > have >> >> > wrong ideas. >> >> > >> >> > "Bernard Cheah [MVP]" wrote: >> >> > >> >> >> You only send the request file to CA. CA will then issue you the >> >> >> cert >> >> >> with >> >> >> both private and public key. >> >> >> >> >> >> To back it up, export the key (including private) and safe guard >> >> >> the >> >> >> file, >> >> >> refer >> >> >> HOW TO: Back Up a Server Certificate in Internet Information >> >> >> Services >> >> >> 5.0 >> >> >> http://support.microsoft.com/?id=232136 >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> >> Regards, >> >> >> Bernard Cheah >> >> >> http://www.iis.net/ >> >> >> http://www.iis-resources.com/ >> >> >> http://msmvps.com/blogs/bernard/ >> >> >> >> >> >> >> >> >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message >> >> >> news:322F8088-D472-487F-8F30-F1616EFCD995@microsoft.com... >> >> >> > hi, >> >> >> > >> >> >> > when I configure IIS server on a windows 2000 or 2003 server to >> >> >> > use >> >> >> > the >> >> >> > ssl >> >> >> > protocol, I have to make a certificate request, during which the >> >> >> > web >> >> >> > site >> >> >> > generates a Key pair (public & private). >> >> >> > >> >> >> > My public key is sent to the CA alomg with my certificate >> >> >> > request. >> >> >> > I wish to know where is my web site key pair stored on my local >> >> >> > system. >> >> >> > Can
Its difficult for me to digest as to what you say
"b) CA will need to sign it and the generate it. and they have to be trusted. Keyword is 'trusted'. When you got the server cert file, it containts both public and private keys. You will see 'You have the private key that corresponds to this certiticate' when you view the cert." well my understanding is that, when the website makes a request for cert, it first generates a key pair at its end & send only the public key to the CA along with the other websites details in the request. The CA never know the private key of the website. Well then the CA creates a electronic doc, we call as the webserver cert in which it embedds the websites Public key & signs the cert with its own digital signature. The cert does not have the private key of the website. It is never disclosed to anyone except the website itself. After the cert is installed on the website & SSL enabled, Next when the client connects to the website, the server cert is sent to the client for verification. The client first verfies the digital signature of the CA in the cert with the local Browser cert database. After the verification the client generates a session key that it encrypts using the public key of the website & the encrypted session key is sent to the website. At the website end, upon receiving the encrypted session key, the website uses its private key to decrypt it & now both the client & server have something in common & that is the session key. The actual data tran/recp uses the session key for encryption/decryption at both the ends. The session key is discarded by both the client & server upon termination of the session. When you view the cert it does say that 'You have the private key that corresponds to this certiticate' but it is not in the cert nor is it sent to the webserver by the CA. The private key was generated by the website & is stored on the local machine, never disclosed & sent anywhere, unless we choose to export, in order to save it. I just wanted to know the file system path where I can find the Private/public key stored in IIS windows 2003 server. [quoted text, click to view] "Bernard Cheah [MVP]" wrote:
> Alright - > a) when client connect to the SSL site, this is what's going on. Keys are > NOT sent, it just uses to encrypt and decrypt. client use the public key to > encrypt and server uses its private keys to decode. > Description of the Secure Sockets Layer (SSL) Handshake > http://support.microsoft.com/?id=257591 > > b) CA will need to sign it and the generate it. and they have to be trusted. > Keyword is 'trusted'. When you got the server cert file, it containts both > public and private keys. You will see 'You have the private key that > corresponds to this certiticate' when you view the cert. > > c) Yes, and if that's the server cert issued from CA for your host server > authentication, it will has the private key as well. not to forgot some > other detail like the key usage (server or client auth), version, etc. > > > -- > Regards, > Bernard Cheah > http://www.iis.net/ > http://www.iis-resources.com/ > http://msmvps.com/blogs/bernard/ > > > "Vicky" <Vicky@discussions.microsoft.com> wrote in message > news:10DCF32E-7956-4260-937A-255FA1E97B2E@microsoft.com... > > Dear Bernard, > > > > As you say " To me, the issued cert from a trusted CA, contains both > > public/private keys." > > > > I would like to ask the following. > > > > A] If the cert from a CA contains both public/private key & the cert is > > then > > installed for your website, it will be sent to all the clients who connect > > to > > that website. This way, the private key of the website is revealed to the > > client & the purpose of achieving transaction level security is defeated. > > > > B] If the CA is going to generate/derive/create a private key for my web > > site, then what is private about the private key? I think the private key > > for > > my website is & should only be know to my website & not to anyone else, > > not > > even the CA. > > > > C] I believe that a website cert contains the following important > > components > > embedded (Correct me if I am wrong) > > 1] Issued to 2] issued by 3] validity 4] purpose 5] digital signature of > > CA > > 6] public key of the website > > > > Regards > > > > Vicky > > > > "Bernard Cheah [MVP]" wrote: > > > >> Well, I guessed it all depends on the discussion context. > >> Typically - CSR is encoded ASCII text with requested identification of > >> the > >> computer, you can 'said' that public key is there, yes it is there, you > >> can > >> also 'said' private key is also there, coz it will 'derive' or 'generate' > >> from it by the CA. > >> > >> In normal context, typically CSR don't associate with public or private > >> keys, because you can't really use it yet. > >> It will become 'valid' once the CA has signed and generate the real > >> certificate, then the concept of public/private key popup. > >> I hope I didn't confuse you, I mean you can't really don't anything with > >> the > >> so called 'keys' with the CSR. > >> > >> Keys is only valid when the cert is issued. now - > >> > A] if the website generates a Keypair of its own before it creates the > >> > CSR > >> >> that's part of the CSR process, to the point here the key is useless > >> >> until the cert is installed > >> > >> > B] How can the CSR be encrypted by Public/private key both at the same > >> > time? > >> >> it is not encrypted, just encode. > >> > >> > C] Is it that the CSR contains both the private & public keys of the > >> > website? > >> >> again depend on how you actually see it. To me, the issued cert from a > >> >> trusted CA, contains both public/private keys. > >> > >> -- > >> Regards, > >> Bernard Cheah > >> http://www.iis.net/ > >> http://www.iis-resources.com/ > >> http://msmvps.com/blogs/bernard/ > >> > >> > >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message > >> news:B3052C4A-3501-4B71-8FE5-515089606B2C@microsoft.com... > >> > Dear Bernard, > >> > > >> > I have read all that stuff at the links you are refering to. > >> > The pages on MS wesite lack clarity & I have wrote a comment to them > >> > such > >> > as > >> > > >> > 1] Under the section > >> > > >> > "Obtain a Certificate" > >> > "......The CSR is simply an encrypted text message that is encrypted > >> > with > >> > a > >> > public/private key pair." > >> > > >> > Now could it be made clear > >> > A] if the website generates a Keypair of its own before it creates the > >> > CSR > >> > B] How can the CSR be encrypted by Public/private key both at the same > >> > time? > >> > C] Is it that the CSR contains both the private & public keys of the > >> > website? > >> > > >> > What is true & presice ? > >> > > >> > > >> > "Bernard Cheah [MVP]" wrote: > >> >
Thanks Bernard For being there & sharing your experience & Knowledge.
There's something thats going in my mind, & wanted to explore & Experiment more on it. So I wished I knew the file system path to the public & private keys. Vicky [quoted text, click to view] "Bernard Cheah [MVP]" wrote:
> I should have been more specific, the 'certificate' is not consider a > certificate until is signed and INSTALLED at the machine generating the CSR, > with that you complete the 'certificate' to have both public and private key > in your certificate store. > > You are referring to the signed 'electronic doc' while I'm focusing on the > 'completed' certificate. To view the complete cert, you access the cert mmc, > and you will see the 'You have the private key that corresponds to this > certiticate', else this is just a pubic cert that the public key can be > obtain via CA. > > I'm not aware of the actual system or file path of the certificate. It is > typically acces via certificate store using the certificate snap-in in MMC, > and you do your import and export in this interface rather than find the > 'content' and back it up. > > -- > Regards, > Bernard Cheah > http://www.iis.net/ > http://www.iis-resources.com/ > http://msmvps.com/blogs/bernard/ > > > "Vicky" <Vicky@discussions.microsoft.com> wrote in message > news:06A64629-3724-4951-95C1-D160327ADF23@microsoft.com... > > Its difficult for me to digest as to what you say > > > > "b) CA will need to sign it and the generate it. and they have to be > > trusted. > > Keyword is 'trusted'. When you got the server cert file, it containts both > > public and private keys. You will see 'You have the private key that > > corresponds to this certiticate' when you view the cert." > > > > well my understanding is that, > > > > when the website makes a request for cert, it first generates a key pair > > at > > its end & send only the public key to the CA along with the other websites > > details in the request. The CA never know the private key of the website. > > > > Well then the CA creates a electronic doc, we call as the webserver cert > > in > > which it embedds the websites Public key & signs the cert with its own > > digital signature. > > The cert does not have the private key of the website. It is never > > disclosed > > to anyone except the website itself. > > > > After the cert is installed on the website & SSL enabled, Next when the > > client connects to the website, the server cert is sent to the client for > > verification. The client first verfies the digital signature of the CA in > > the > > cert with the local Browser cert database. After the verification the > > client > > generates a session key that it encrypts using the public key of the > > website > > & the encrypted session key is sent to the website. > > > > At the website end, upon receiving the encrypted session key, the website > > uses its private key to decrypt it & now both the client & server have > > something in common & that is the session key. The actual data tran/recp > > uses > > the session key for encryption/decryption at both the ends. > > The session key is discarded by both the client & server upon termination > > of > > the session. > > > > When you view the cert it does say that 'You have the private key that > > corresponds to this certiticate' but it is not in the cert nor is it sent > > to > > the webserver by the CA. The private key was generated by the website & is > > stored on the local machine, never disclosed & sent anywhere, unless we > > choose to export, in order to save it. > > > > I just wanted to know the file system path where I can find the > > Private/public key stored in IIS windows 2003 server. > > > > > > "Bernard Cheah [MVP]" wrote: > > > >> Alright - > >> a) when client connect to the SSL site, this is what's going on. Keys are > >> NOT sent, it just uses to encrypt and decrypt. client use the public key > >> to > >> encrypt and server uses its private keys to decode. > >> Description of the Secure Sockets Layer (SSL) Handshake > >> http://support.microsoft.com/?id=257591 > >> > >> b) CA will need to sign it and the generate it. and they have to be > >> trusted. > >> Keyword is 'trusted'. When you got the server cert file, it containts > >> both > >> public and private keys. You will see 'You have the private key that > >> corresponds to this certiticate' when you view the cert. > >> > >> c) Yes, and if that's the server cert issued from CA for your host server > >> authentication, it will has the private key as well. not to forgot some > >> other detail like the key usage (server or client auth), version, etc. > >> > >> > >> -- > >> Regards, > >> Bernard Cheah > >> http://www.iis.net/ > >> http://www.iis-resources.com/ > >> http://msmvps.com/blogs/bernard/ > >> > >> > >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message > >> news:10DCF32E-7956-4260-937A-255FA1E97B2E@microsoft.com... > >> > Dear Bernard, > >> > > >> > As you say " To me, the issued cert from a trusted CA, contains both > >> > public/private keys." > >> > > >> > I would like to ask the following. > >> > > >> > A] If the cert from a CA contains both public/private key & the cert is > >> > then > >> > installed for your website, it will be sent to all the clients who > >> > connect > >> > to > >> > that website. This way, the private key of the website is revealed to > >> > the > >> > client & the purpose of achieving transaction level security is > >> > defeated. > >> > > >> > B] If the CA is going to generate/derive/create a private key for my > >> > web > >> > site, then what is private about the private key? I think the private > >> > key > >> > for > >> > my website is & should only be know to my website & not to anyone else, > >> > not > >> > even the CA. > >> > > >> > C] I believe that a website cert contains the following important > >> > components > >> > embedded (Correct me if I am wrong) > >> > 1] Issued to 2] issued by 3] validity 4] purpose 5] digital signature > >> > of > >> > CA > >> > 6] public key of the website > >> > > >> > Regards > >> > > >> > Vicky > >> > > >> > "Bernard Cheah [MVP]" wrote: > >> > > >> >> Well, I guessed it all depends on the discussion context. > >> >> Typically - CSR is encoded ASCII text with requested identification of > >> >> the > >> >> computer, you can 'said' that public key is there, yes it is there, > >> >> you > >> >> can > >> >> also 'said' private key is also there, coz it will 'derive' or > >> >> 'generate' > >> >> from it by the CA. > >> >> > >> >> In normal context, typically CSR don't associate with public or > >> >> private > >> >> keys, because you can't really use it yet. > >> >> It will become 'valid' once the CA has signed and generate the real
I should have been more specific, the 'certificate' is not consider a
certificate until is signed and INSTALLED at the machine generating the CSR, with that you complete the 'certificate' to have both public and private key in your certificate store. You are referring to the signed 'electronic doc' while I'm focusing on the 'completed' certificate. To view the complete cert, you access the cert mmc, and you will see the 'You have the private key that corresponds to this certiticate', else this is just a pubic cert that the public key can be obtain via CA. I'm not aware of the actual system or file path of the certificate. It is typically acces via certificate store using the certificate snap-in in MMC, and you do your import and export in this interface rather than find the 'content' and back it up. -- Regards, Bernard Cheah http://www.iis.net/ http://www.iis-resources.com/ http://msmvps.com/blogs/bernard/ [quoted text, click to view] "Vicky" <Vicky@discussions.microsoft.com> wrote in message
news:06A64629-3724-4951-95C1-D160327ADF23@microsoft.com... > Its difficult for me to digest as to what you say > > "b) CA will need to sign it and the generate it. and they have to be > trusted. > Keyword is 'trusted'. When you got the server cert file, it containts both > public and private keys. You will see 'You have the private key that > corresponds to this certiticate' when you view the cert." > > well my understanding is that, > > when the website makes a request for cert, it first generates a key pair > at > its end & send only the public key to the CA along with the other websites > details in the request. The CA never know the private key of the website. > > Well then the CA creates a electronic doc, we call as the webserver cert > in > which it embedds the websites Public key & signs the cert with its own > digital signature. > The cert does not have the private key of the website. It is never > disclosed > to anyone except the website itself. > > After the cert is installed on the website & SSL enabled, Next when the > client connects to the website, the server cert is sent to the client for > verification. The client first verfies the digital signature of the CA in > the > cert with the local Browser cert database. After the verification the > client > generates a session key that it encrypts using the public key of the > website > & the encrypted session key is sent to the website. > > At the website end, upon receiving the encrypted session key, the website > uses its private key to decrypt it & now both the client & server have > something in common & that is the session key. The actual data tran/recp > uses > the session key for encryption/decryption at both the ends. > The session key is discarded by both the client & server upon termination > of > the session. > > When you view the cert it does say that 'You have the private key that > corresponds to this certiticate' but it is not in the cert nor is it sent > to > the webserver by the CA. The private key was generated by the website & is > stored on the local machine, never disclosed & sent anywhere, unless we > choose to export, in order to save it. > > I just wanted to know the file system path where I can find the > Private/public key stored in IIS windows 2003 server. > > > "Bernard Cheah [MVP]" wrote: > >> Alright - >> a) when client connect to the SSL site, this is what's going on. Keys are >> NOT sent, it just uses to encrypt and decrypt. client use the public key >> to >> encrypt and server uses its private keys to decode. >> Description of the Secure Sockets Layer (SSL) Handshake >> http://support.microsoft.com/?id=257591 >> >> b) CA will need to sign it and the generate it. and they have to be >> trusted. >> Keyword is 'trusted'. When you got the server cert file, it containts >> both >> public and private keys. You will see 'You have the private key that >> corresponds to this certiticate' when you view the cert. >> >> c) Yes, and if that's the server cert issued from CA for your host server >> authentication, it will has the private key as well. not to forgot some >> other detail like the key usage (server or client auth), version, etc. >> >> >> -- >> Regards, >> Bernard Cheah >> http://www.iis.net/ >> http://www.iis-resources.com/ >> http://msmvps.com/blogs/bernard/ >> >> >> "Vicky" <Vicky@discussions.microsoft.com> wrote in message >> news:10DCF32E-7956-4260-937A-255FA1E97B2E@microsoft.com... >> > Dear Bernard, >> > >> > As you say " To me, the issued cert from a trusted CA, contains both >> > public/private keys." >> > >> > I would like to ask the following. >> > >> > A] If the cert from a CA contains both public/private key & the cert is >> > then >> > installed for your website, it will be sent to all the clients who >> > connect >> > to >> > that website. This way, the private key of the website is revealed to >> > the >> > client & the purpose of achieving transaction level security is >> > defeated. >> > >> > B] If the CA is going to generate/derive/create a private key for my >> > web >> > site, then what is private about the private key? I think the private >> > key >> > for >> > my website is & should only be know to my website & not to anyone else, >> > not >> > even the CA. >> > >> > C] I believe that a website cert contains the following important >> > components >> > embedded (Correct me if I am wrong) >> > 1] Issued to 2] issued by 3] validity 4] purpose 5] digital signature >> > of >> > CA >> > 6] public key of the website >> > >> > Regards >> > >> > Vicky >> > >> > "Bernard Cheah [MVP]" wrote: >> > >> >> Well, I guessed it all depends on the discussion context. >> >> Typically - CSR is encoded ASCII text with requested identification of >> >> the >> >> computer, you can 'said' that public key is there, yes it is there, >> >> you >> >> can >> >> also 'said' private key is also there, coz it will 'derive' or >> >> 'generate' >> >> from it by the CA. >> >> >> >> In normal context, typically CSR don't associate with public or >> >> private >> >> keys, because you can't really use it yet. >> >> It will become 'valid' once the CA has signed and generate the real >> >> certificate, then the concept of public/private key popup. >> >> I hope I didn't confuse you, I mean you can't really don't anything >> >> with >> >> the >> >> so called 'keys' with the CSR. >> >> >> >> Keys is only valid when the cert is issued. now - >> >> > A] if the website generates a Keypair of its own before it creates >> >> > the >> >> > CSR >> >> >> that's part of the CSR process, to the point here the key is >> >> >> useless >> >> >> until the cert is installed >> >> >> >> > B] How can the CSR be encrypted by Public/private key both at the >> >> > same >> >> > time? >> >> >> it is not encrypted, just encode. >> >>
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |