Not storing your private keys properly is dangerous.

How to export the private key from your Certificate Signing Request on Windows?

4 min read.

This article explains another small but significant gotcha you “just need to know” when working with certificates and certification authorities, and you – just like me – are for some reason still using Windows as your workhorse. I’ll go through how to export the private key that has been stored on your machine when you generated a Certificate Signing Request (or a “Certificate Enrollment Request” if you’re speaking Contosoan”) to get someone to issue you a certificate according to your specification.

I’ll also go through the confusing terminology and some other points about the process. It’s a part of my ongoing learning journey, too :)

Background

Lately, I’ve been working a lot with AKS. And while working with AKS, you run into all kinds of requirements for certificates. And when working with certificates, you’ll probably end up requesting new ones occasionally (instead of just self-signing everything) – and to upload your fancy certificates to a form AKS understands (“TLS” secrets), you’ll need a certificate and a matching private key.

Makes sense. But where do these 2 come from?

Solution

Well, the short answer is that the certificate you get from a Certificate Authority (or, as it quite often actually happens, your IT team), but they usually only generate a certificate for you based on a CSR – a Certificate Signing Request – which is something you create.

And creating the CSR stores the private key on your machine. And almost stashes it away, if you’re using Windows. This guide explains how to find it!

Time needed: 10 minutes.

How to export a private key generated for a CSR using Certificate Store on Windows?

  1. Open the Windows Certificate Store (certlm) for Local Computer (not Personal!)

    Opening the Certificate Store is going to be your first step. You’ll probably want to open it for Local Computer – not your personal one – as at least some tools to generate CSRs place the private key there.

    Do all tools do that, though? I don’t know. I haven’t tried them all yet!

    Manage Computer Certificates in Windows Start Menu

  2. Navigate to Certificate Enrollment Request > Certificates

    From the left hand side “folder” navigation, select “Certificate Enrollment Requests”, and then “Certificates” – and you should be presented with a list of dummy certificates. They represent certificates you’ve requested from an authority or issuer – they aren’t actual certificates! But they do contain the private key…

  3. Select the domain you created the CSR for

    You should probably know the host name or domain you generated the Certificate Signing Request for – find it in the list.

  4. Export the private key

    Now we’ll use the extremely user-friendly and straightforward UI to export the private key! 😉

    Jokes aside, a couple of steps to go through, really: Right-click and select “All Tasks > Export” > “Next” > “Yes, export the private key” > and whatever you need to do to get the private key out of there. If you have to enter a password, be sure to remember it :) Name the file to mykey.pfx and place it in C:\temp\export (or whatever else location that’s not OneDrive).

  5. Use OpenSSL to export the key from the .pfx -file:

    Now we’ll use a tool called OpenSSL to export the key from the .pfx file. Figuring out where to get that tool can be a pain, but this wiki maintains a nice list of mirrors and tool versions for you. Or you can just use winget:
    winget install -e --id ShiningLight.OpenSSL

    Anyway – here’s what to run in command prompt, PowerShell, or a shell of your choice:

    cd C:\temp\export
    openssl pkcs12 -info -in mykey.pfx -nodes


    That should bring up a nice, long output of certificate details.

  6. Save the key

    You’ll want the RSA PRIVATE KEY, and you’ll find it nicely in caps. Copy it from the output. Save it to my.key or similar file.

That’s it! You should now have the private key. Now you can proceed to compare it to a certificate to make sure they match, or do something else with it.

Questions, answers, and interesting discussion points

What is the difference between Certificate Enrollment Request and CSR?

Ah, well this is a source of some confusion! When you generate a CSR in Windows Certificate Manager (a Snap-in “extension” of Microsoft Management Console – mmc.exe), it’s actually stored under a folder called “Certificate Enrollment Requests”.

If you want to add to the confusion, it’s a great idea to call the dummy certificates in this folder “CERs” (abbreviation from Certificate Enrollment Request). Please don’t do that though, since a .cer -file is something else.

The dummies in that folder are actually CSRs that appear to be certificates. You can export them as .pfx – further adding to the confusion!

But the main point of the story is that a “CSR” and a “Certificate Enrollment Request” are the same thing, just in a really different format.

What’s the easiest way to generate a CSR on Windows?

That’s going to be very subjective – but I’ve found DigiCert’s certutil.exe really useful!

You can use it to generate a CSR, that will – very conveniently – end up in your Computer’s Certificate Store’s Certificate Enrollment Requests. That way you will (initially) get the “standard”, PEM-formatted CSR, and the private key (and other CSR details) will get stored in your Certificate Enrollment Requests as something you can export in .pfx.

Confusing, but kinda convenient.

Why you can’t use OpenSSL in OneDrive for Business folders?

Some poor schmuck at Microsoft decided that all OneDrive for Business folder names MUST have spaces. No exceptions. And that breaks some tools that were made for a simpler world. And OpenSSL is one of those tools.

I’m not going to lie – I’d like to have a work with the person who made this design choice. It makes OneDrive useless for actually storing your work-in-progress files in. So you’ll end up having all of the cert.pfx, cert_final.pfx, cert_final_final_v2.pfx etc. files on your machine, and only store the final version in OneDrive.

Kind of beats the whole point of using cloud file storage in the first place.

References

mm
0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments