Windows Certificate Store Private Key

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows Certificate Store Private Key

harshvir
Hi All,
    I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks.

// Harshvir

Reply | Threaded
Open this post in threaded view
|

Re: Windows Certificate Store Private Key

Kyle Hamilton
Run mmc.exe (Microsoft Management Console), add the "Certificates" snap-in, and then export the certificate and private key to a PKCS#12 file.  Then use openssl pkcs12 to parse it.

-Kyle H

On Wed, Jun 23, 2010 at 3:43 PM, Harshvir Sidhu <[hidden email]> wrote:
> Hi All,
>     I am trying to read Certificates and Private Key from Windows
> Certificate Store and then using them in OpenSSL. I am able to read
> Certificates but i am having trouble with reading Private Key. Have anyone
> done this before, any pointers will be great. Thanks.
> // Harshvir
>


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Windows Certificate Store Private Key

Kyle Hamilton
In reply to this post by harshvir
Run mmc.exe (Microsoft Management Console), add the "Certificates" snap-in, and then export the certificate and private key to a PKCS#12 file.  Then use openssl pkcs12 to parse it.

-Kyle H

On Wed, Jun 23, 2010 at 3:43 PM, Harshvir Sidhu <[hidden email]> wrote:
> Hi All,
>     I am trying to read Certificates and Private Key from Windows
> Certificate Store and then using them in OpenSSL. I am able to read
> Certificates but i am having trouble with reading Private Key. Have anyone
> done this before, any pointers will be great. Thanks.
> // Harshvir
>


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Windows Certificate Store Private Key

Bernhard Fröhlich-2
In reply to this post by Kyle Hamilton
[hidden email] schrieb:
> Run mmc.exe (Microsoft Management Console), add the "Certificates"
> snap-in, and then export the certificate and private key to a PKCS#12
> file.  Then use openssl pkcs12 to parse it.

Note that this works only if the private key is marked as exportable.

Ted
;)

>
> -Kyle H
>
> On Wed, Jun 23, 2010 at 3:43 PM, Harshvir Sidhu <[hidden email]>
> wrote:
>> Hi All,
>>     I am trying to read Certificates and Private Key from Windows
>> Certificate Store and then using them in OpenSSL. I am able to read
>> Certificates but i am having trouble with reading Private Key. Have
>> anyone
>> done this before, any pointers will be great. Thanks.
>> // Harshvir
>>
>


--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Windows Certificate Store Private Key

Jakob Bohm-7
In reply to this post by harshvir
On 24-06-2010 00:43, Harshvir Sidhu wrote:
> Hi All,
>      I am trying to read Certificates and Private Key from Windows
> Certificate Store and then using them in OpenSSL. I am able to read
> Certificates but i am having trouble with reading Private Key. Have
> anyone done this before, any pointers will be great. Thanks.
>
Note that you are NEVER supposed to do that.  The Windows Certificate
Store is designed to behave like a smart card or HSM (even though it
is technically just software and can probably be cracked).  Private
Keys are not supposed to go out, although you CAN extract those private
keys that are marked "exportable" (which has nothing to do with the
old crypto-export-across-borders restrictions).  AeroWolf's reply is
about the manual way to extract keys that are marked "exportable",
keys that are not so marked, cannot be extracted by ordinary means
and cannot be retroactively marked as exportable.

The best approach would be for someone to create an openssl "engine"
plugin which can call MS CryptoAPI and thus access use any keys kept
by it without actually compromising the private key storage.  Maybe
someone has already done that.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Windows Certificate Store Private Key

Dr. Stephen Henson
In reply to this post by harshvir
On Wed, Jun 23, 2010, Harshvir Sidhu wrote:

> Hi All,
>     I am trying to read Certificates and Private Key from Windows
> Certificate Store and then using them in OpenSSL. I am able to read
> Certificates but i am having trouble with reading Private Key. Have anyone
> done this before, any pointers will be great. Thanks.
>

Depends on what you want to do with the key. If you want to use it for SSL/TLS
client authentication then you can use the CryptoAPI ENGINE to pick an
appropriate certficate and key and use them directly. You just have to set the
SSL client authentication ENGINE to "capi".

For other purposes you can load the private key from the capi ENGINE using
ENGINE_load_private_key(). The string you pass by default is a substring of the
certificate name e.g. if it has CN=steve then "steve" will do.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Windows Certificate Store Private Key

harshvir
Hey thanks all for the reply.
Stephen:
   Yes i have to do client authentication, Is there some sample available that demonstrates how can i use capi engine for the same? Thanks.
 
// Harshvir

On Thu, Jun 24, 2010 at 7:29 AM, Dr. Stephen Henson <[hidden email]> wrote:
On Wed, Jun 23, 2010, Harshvir Sidhu wrote:

> Hi All,
>     I am trying to read Certificates and Private Key from Windows
> Certificate Store and then using them in OpenSSL. I am able to read
> Certificates but i am having trouble with reading Private Key. Have anyone
> done this before, any pointers will be great. Thanks.
>

Depends on what you want to do with the key. If you want to use it for SSL/TLS
client authentication then you can use the CryptoAPI ENGINE to pick an
appropriate certficate and key and use them directly. You just have to set the
SSL client authentication ENGINE to "capi".

For other purposes you can load the private key from the capi ENGINE using
ENGINE_load_private_key(). The string you pass by default is a substring of the
certificate name e.g. if it has CN=steve then "steve" will do.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Windows Certificate Store Private Key

Dr. Stephen Henson
On Thu, Jun 24, 2010, Harshvir Sidhu wrote:

> Hey thanks all for the reply.
> Stephen:
>    Yes i have to do client authentication, Is there some sample available
> that demonstrates how can i use capi engine for the same? Thanks.
>

The option -ssl_client_cert_engine to s_client uses the relevant
functionality. All you do is lookup the "capi" ENGINE and assign it to the
SSL_CTX, check the s_client.c source for more info.

If you only have one client certificate for a given CA then that is
sufficient. There are other options which can be set at compile time, such as
displaying a dialog box if there are multiple certificates of just arbitrarily
choosing the first one.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Windows Certificate Store Private Key

Mohan Radhakrishnan
In reply to this post by harshvir
Hi,
       Please ignore if this question belongs else where but it looks
like the OP is storing and retrieving SSL certificate from a Windows
store. I have been looking for ways to use the Windows store to secure
SSL certificates and keys and SFTP keys.

Is windows or any other method recommended for storage of keys and
certificates not created by Windows ? We just cut a CD with the keys
and hand it over to the custodian as recommended by PCI but we want a
storage server. I know that RedHat has a PKI server but we already
have windows and the number of keys is less.

Thanks,
Mohan

On Thu, Jun 24, 2010 at 9:45 PM, Harshvir Sidhu <[hidden email]> wrote:

> Hey thanks all for the reply.
> Stephen:
>    Yes i have to do client authentication, Is there some sample available
> that demonstrates how can i use capi engine for the same? Thanks.
>
> // Harshvir
>
> On Thu, Jun 24, 2010 at 7:29 AM, Dr. Stephen Henson <[hidden email]>
> wrote:
>>
>> On Wed, Jun 23, 2010, Harshvir Sidhu wrote:
>>
>> > Hi All,
>> >     I am trying to read Certificates and Private Key from Windows
>> > Certificate Store and then using them in OpenSSL. I am able to read
>> > Certificates but i am having trouble with reading Private Key. Have
>> > anyone
>> > done this before, any pointers will be great. Thanks.
>> >
>>
>> Depends on what you want to do with the key. If you want to use it for
>> SSL/TLS
>> client authentication then you can use the CryptoAPI ENGINE to pick an
>> appropriate certficate and key and use them directly. You just have to set
>> the
>> SSL client authentication ENGINE to "capi".
>>
>> For other purposes you can load the private key from the capi ENGINE using
>> ENGINE_load_private_key(). The string you pass by default is a substring
>> of the
>> certificate name e.g. if it has CN=steve then "steve" will do.
>>
>> Steve.
>> --
>> Dr Stephen N. Henson. OpenSSL project core developer.
>> Commercial tech support now available see: http://www.openssl.org
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    [hidden email]
>> Automated List Manager                           [hidden email]
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Windows Certificate Store Private Key

Michael S. Zick-4
On Sat June 26 2010, Mohan Radhakrishnan wrote:

> Hi,
>        Please ignore if this question belongs else where but it looks
> like the OP is storing and retrieving SSL certificate from a Windows
> store. I have been looking for ways to use the Windows store to secure
> SSL certificates and keys and SFTP keys.
>
> Is windows or any other method recommended for storage of keys and
> certificates not created by Windows ? We just cut a CD with the keys
> and hand it over to the custodian as recommended by PCI but we want a
> storage server. I know that RedHat has a PKI server but we already
> have windows and the number of keys is less.
>

A good, widely used, general storage for sensitive information is TrueCrypt:
http://www.truecrypt.org/
Available for the most common operating systems.

Mike

> Thanks,
> Mohan
>
> On Thu, Jun 24, 2010 at 9:45 PM, Harshvir Sidhu <[hidden email]> wrote:
> > Hey thanks all for the reply.
> > Stephen:
> >    Yes i have to do client authentication, Is there some sample available
> > that demonstrates how can i use capi engine for the same? Thanks.
> >
> > // Harshvir
> >
> > On Thu, Jun 24, 2010 at 7:29 AM, Dr. Stephen Henson <[hidden email]>
> > wrote:
> >>
> >> On Wed, Jun 23, 2010, Harshvir Sidhu wrote:
> >>
> >> > Hi All,
> >> >     I am trying to read Certificates and Private Key from Windows
> >> > Certificate Store and then using them in OpenSSL. I am able to read
> >> > Certificates but i am having trouble with reading Private Key. Have
> >> > anyone
> >> > done this before, any pointers will be great. Thanks.
> >> >
> >>
> >> Depends on what you want to do with the key. If you want to use it for
> >> SSL/TLS
> >> client authentication then you can use the CryptoAPI ENGINE to pick an
> >> appropriate certficate and key and use them directly. You just have to set
> >> the
> >> SSL client authentication ENGINE to "capi".
> >>
> >> For other purposes you can load the private key from the capi ENGINE using
> >> ENGINE_load_private_key(). The string you pass by default is a substring
> >> of the
> >> certificate name e.g. if it has CN=steve then "steve" will do.
> >>
> >> Steve.
> >> --
> >> Dr Stephen N. Henson. OpenSSL project core developer.
> >> Commercial tech support now available see: http://www.openssl.org
> >> ______________________________________________________________________
> >> OpenSSL Project                                 http://www.openssl.org
> >> User Support Mailing List                    [hidden email]
> >> Automated List Manager                           [hidden email]
> >
> >
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
>


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Windows Certificate Store Private Key

iyage
In reply to this post by harshvir
A question for everyone:

What If you only use the BIO structures to call RAND_bytes(), in your
threads, and you are not using any of the SSL structures, do you still need a
callback function?  My purpose of using the OpenSSL library is to generate
random numbers only.

-
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Best way to store keys and certs on Windows [was: Windows Certificate Store Private Key]

Jakob Bohm-7
In reply to this post by Mohan Radhakrishnan
On 26-06-2010 18:29, Mohan Radhakrishnan wrote:

>         Please ignore if this question belongs else where but it looks
> like the OP is storing and retrieving SSL certificate from a Windows
> store. I have been looking for ways to use the Windows store to secure
> SSL certificates and keys and SFTP keys.
>
> Is windows or any other method recommended for storage of keys and
> certificates not created by Windows ? We just cut a CD with the keys
> and hand it over to the custodian as recommended by PCI but we want a
> storage server. I know that RedHat has a PKI server but we already
> have windows and the number of keys is less.
>

(You really should have started a new thread for this question, but I'll
answer anyway.)

The answer to this depends a lot on what kind of keys you are storing.
I note that you are going for PCI compliance, so I am assuming serious
security here.

1. If you are storing the sensitive private keys, then the proper
answer is: Key copies that are not used many times every day should
be stored in secure hardware not connected to any computer and locked
away in a serious well-guarded strong box, relevant hardware include
Spyrus PCMCIA HSMs and high end smart cards.  For very rarely used key
copies, they should be split using Shamir's sharing scheme or similar
into parts stored on separate smart cards guarded by different people in
different strongboxes.  For key copies that are used frequently by
automated servers, you should use a large high end HSM (too heavy for
anyone to put in their pocket) fitted with internal motion sensors that
erase the keys if the device is physically moved anyway.

2. If you are storing just the public keys and certificates, and using
Windows, I would recommend the following combination:  Store each
certificate in a PEM/Base64 DER file with extension .cer and the
combined list of all of them in a binary DER file with extension .CRT.
Burn all those files to a CD and keep it in a read-only optical drive
(not a CD or DVD writer) in the server to prevent malicious
modifications (These file formats can be directly read and used by both
Windows and openssl, the openssl command line tool is good for making
the combined .crt).  Also put a copy of the certificates in Active
Directory group policies under appropriate categories, for instance CAs
under trusted CAs.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]