Menu
By specifying a –pe switch ( using Makecert utility ) we make a private key exportable.
a) What is it meant by private key being exportable? That we can copy the created .pvk file ( containing private key ) to another system and use it there?
b) If so, then I assume .pvk is only created if private key is to be exported?! Thus, how do we use/obtain private key when we don't want to export it and thus don't specify –pe switch when creating a certificate?
thank you
681
Exporting a certificate with its private key allows you to move the certificate and key to another computer or server. This can be useful if you need to switch servers or if you're setting up a new server and want to use a certificate that's already been issued.
You may have to read encrypted mail messages from other computers. Due of security reasons you SHOULD never mark private keys as exportable for signing, user authentication and computer certificates (except CA own private keys). You're right. Private key is always generated on the client.
Go to: Certificates > Personal > Certificates. Right-click on the certificate you wish to export and go to All Tasks and hit Export. Hit Next on the Certificate Export Wizard to begin the process. Select “Yes, export the private key” and hit next.
A private key is exportable only when it is specified in the certificate request or certificate template that was used to create the certificate. Strong protection (also known as iteration count) is enabled by default in the Certificate Export Wizard when you export a certificate with its associated private key.
Makecert stores the private key of a key pair in a secure area of the local machine. If the private key is not marked as exportable, then the system will not allow anyone to export that private key to a transportable certificate file that can be copied or installed on another machine.
That means, if you don't specify the -pe command line option to MakeCert, the certificate created can only be used to decrypt data on that machine. The public key can be handed out for others to use to encrypt data, but only this machine can decrypt that data using the private key.
This is a good thing for maximum security. A user of the machine or a network attacker cannot steal the private key simply by exporting it to a file and running off with the file.
However, it's not the most convenient for ease of use. If you intend for multiple machines to decrypt data encrypted with the public key, then you will need to create the key with the exportable option so that you can export the public/private key pair and install them on the other machines you want to decrypt data on.
112
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
