Export Certificates in PKCS #12 format

[BillL]

Hi,

I'm trying to export certificates in Personal Information Exchange
format. When I try to use the Certificate Export WIzard from the CA
or from the Certifcates mmc snapin on my desktop the option
to export to a PKCS #12 format is always greyed out. I've also tried
to do a
certutil -getkey using the certificate's serial number but it comes
back with "cannot find object or property" . The certificate
template
does have the box "Allow private key to be exported" checked.

Is there a setting in the Certifcate template that must be set to
allow it to be exported in this format? Or am I missing something
else?

Thanks.

 

[Brian Komar \(MVP\)]

Where are you performing the export?
The export option to include the private key is only available at the
computer where the key pair was generated
You cannot, for example, choose an issued certificate at the CA, and then
choose to export the private key
Brian

"BillL" wrote in message
news:8dbe6102-b48b-4d66-827c-a44140ebacb4@h5g2000yqh.googlegroups.com...
> Hi,
>
> I'm trying to export certificates in Personal Information Exchange
> format. When I try to use the Certificate Export WIzard from the CA
> or from the Certifcates mmc snapin on my desktop the option
> to export to a PKCS #12 format is always greyed out. I've also tried
> to do a
> certutil -getkey using the certificate's serial number but it comes
> back with "cannot find object or property" . The certificate
> template
> does have the box "Allow private key to be exported" checked.
>
> Is there a setting in the Certifcate template that must be set to
> allow it to be exported in this format? Or am I missing something
> else?
>
> Thanks.

 

[BillL]

Thanks Brian for clarifying that for me. I was trying it on both the
CA and the workstation where the key was generated. I did get it to
work from the workstation.

Bill

 

[Brian Komar \(MVP\)]

You can only accomplish the retrieval from the CA if:
1) THe CA is enabled for key archival
2) The certificate template is set to the purpose of *encryption* or
*signature and encryption*
3) The certificate template enable archival of the encryption certificate
private key

Once you have this, then the recovery process involves:
1) A certificate manager extracting an encrypted blob from the CA
(certutil -getkey)
2) A Key Recovery agent decrypting the blob into a PKCS#12
(certutil -recoverkey

Brian

"BillL" wrote in message
news:f9fb5e90-c0be-40d7-8f83-00bcf63b9ad2@s20g2000yqh.googlegroups.com...
> Thanks Brian for clarifying that for me. I was trying it on both the
> CA and the workstation where the key was generated. I did get it to
> work from the workstation.
>
> Bill
>

 

[BillL]

On Feb 11, 2:31 pm, "Brian Komar \(MVP\)"
wrote:
> You can only accomplish the retrieval from the CA if:
> 1) THe CA is enabled for key archival
> 2) The certificate template is set to the purpose of *encryption* or
> *signature and encryption*
> 3) The certificate template enable archival of the encryption certificate
> private key
>
> Once you have this, then the recovery process involves:
> 1) A certificate manager extracting an encrypted blob from the CA
> (certutil -getkey)
> 2) A Key Recovery agent decrypting the blob into a PKCS#12
> (certutil -recoverkey
>
> Brian
>
> "BillL" wrote in message
>
> news:f9fb5e90-c0be-40d7-8f83-00bcf63b9ad2@s20g2000yqh.googlegroups.com...
>
>
>
> > Thanks Brian for clarifying that for me.  I was trying it on both the
> > CA and the workstation where the key was generated.  I did get it to
> > work from the workstation.
>
> > Bill- Hide quoted text -
>
> - Show quoted text -

Thanks Brian.