Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, January 12, 2016 10:11 AM
Dear all,
is there any documentation on what does it mean that private key is not plain text exportable?
Please note that it is possible to export the private key using standard means into a PKCS12 (pfx) file, but using certutil I get following information
================ Certificate 1 ================
Serial Number: <Snipped>
Issuer: <Snipped>
NotBefore: 10.11.2015 15:31
NotAfter: 10.11.2017 15:41
Subject: <Snipped>
Template: <Snipped>
Cert Hash(sha1): a5 a0 d5 91 92 00 71 2b bd 0e 23 d8 26 c0 04 99 91 1f bf 4a
Provider = Microsoft Software Key Storage Provider
Private key is NOT plain text exportable
Signature test passed
CertUtil: -store command completed successfully.
Kind regards
Martin Rublik
All replies (4)
Friday, January 15, 2016 9:32 AM ✅Answered
Thanks guys for the help,
if anyone is interested I think I found the answer:
I guess the docs are here:
https://msdn.microsoft.com/en-us/library/windows/desktop/aa376242%28v=vs.85%29.aspx
and it means the key must be wrapped during the export https://msdn.microsoft.com/en-us/library/windows/desktop/aa376263%28v=vs.85%29.aspx
As key is always wrapped in PKCS12 export (does not depend on the passphrase) the export using certutil will be always possible.
Martin
Thursday, January 14, 2016 9:11 AM
Hi,
>>Please note that it is possible to export the private key using standard means into a PKCS12 (pfx) file
If we export the private key in a pfx file, it is protected by a password. The private key is not stored in plain text. It is encrypted.
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Thursday, January 14, 2016 1:36 PM
Hi,
thank you for your answer, I am aware that PKCS12 file is encrypted. Though I'm a little confused that it is possible to export the key without a passphrase, and if I check the certutil -store my on another machine (same key) I don't get the Private key is NOT plain text exportable. Thus I was looking for documentation what exactly does it mean. Is there any way to export private key without protection?
Thanks
Martin
Friday, January 15, 2016 7:25 AM
Afaik, certutil allows to export certificate to PFX without password.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: www.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell File Checksum Integrity Verifier tool.