Exporting Certs/keys to users

Help
stef_204
2007-07-01
2013-03-09
  • stef_204
    stef_204
    2007-07-01

    Win32

    Hi,

    I have created a Root CA cert (self-signed) with XCA; and some user certs (signed by the CA cert) for my clients--to implement S/MIME in a Win32 environment.

    My understanding is that I need to 1) make Root CA Cert available to my clients so they can install it as an Authority in their browser and email client (like Outlook or Thunderbird); and 2) provide them with their own user certs with private keys, etc.; so they can also install these as their own certificates.

    I am a complete newbie at this so please be patient with me.

    I want to keep 1) and 2) separate and thought I could upload the Root CA Cert to my website and give my clients the link (password protected) so they can visit that web page and click on cert to install it, etc.

    Question: What format do I use to Export the Root CA Cert so I can post it on my site (without the private key I imagine)...?

    For 2) What format do I use to export the user certs so I can make them available to my clients?

    What about the user certs' private keys?  I generated those when creating the certs--perhaps that was a mistake?

    Can I email them their certs (encrypted) and tell them in person what the password is the open the cert?  If so, how do I do this--what formats, etc.?

    OR, is it better to implement SSL on my website (just on a subdomain like http://secure.mydomain.com\) and have them go there to download their user cert?

    I am not looking to be complicated--rather I want to stay simple and efficient and make it easy for myself and especially my clients to get my Root CA cert and their own user cert.  But I also do not want to violate any security principles by not doing it right.

    Also, here is what my hosting company has told me:

    "Please generate a self-signed certificate and provide us with the certificate, CA certificate, RSA private key and we will install the certificate for your subdomain after you implement the dedicated IP."

    Makes sense?

    I would really like some help here so that I could be productive with XCA and be able to use S/MIME in a Win32 environment without requesting my clients to go and register at sites like Thawte or Verisign that want way too many details about you, etc.

    Thanks a lot for your help!

     
    • > I could upload the Root CA Cert to my website and give my clients the link (password protected)
      > so they can visit that web page and click on cert to install it, etc.
      No secret, no password needed.
      But you should provide a Fingerprint of your CA cert via a different media
      to allow the clients to verify the CA cert.

      > Question: What format do I use to Export the Root CA Cert so I can post it on my site (without the private key I imagine)...?
      PEM is usually understood by clients (without private key, of course)

      > What format do I use to export the user certs so I can make them available to my clients?
      PKCS#12

      > What about the user certs' private keys? I generated those when creating the certs--perhaps that was a mistake?
      They are then part of the password protected PKCS#12
      The other possibility was to ask the users to create a PKCS#10 request, import it, sign it and send back
      the resulting certificate. This way you never saw the clients private key.

      > Can I email them their certs (encrypted) and tell them in person what the password is the open the cert?
      Yes

      > If so, how do I do this--what formats, etc.?
      Cert:PKCS#12 ; Password:phonebox or mobile :-)

      > "Please generate a self-signed certificate and provide us with the certificate, CA certificate,
      > RSA private key and we will install the certificate for your subdomain after you implement the dedicated IP."

      > Makes sense?

      No. If you have a self-signed cert, you don't have a CA cert.
      If you want automatic trustment of the visitors of your SSL site, you need a Thawte (example) signed certificate
      with your hostname secure.mydomain.com as common name. Otherwise the user will see a warning.

       
    • stef_204
      stef_204
      2007-07-01

      >> I could upload the Root CA Cert to my website and give my clients the link (password protected)
      >> so they can visit that web page and click on cert to install it, etc.
      >No secret, no password needed.
      >But you should provide a Fingerprint of your CA cert via a different media
      >to allow the clients to verify the CA cert.

      *Chris, thanks so much for replying and helping me out.  I really appreciate it.*

      So how do I "provide a Fingerprint of your CA cert via a different media"? What do you mean by Fingerprint?

      >> Question: What format do I use to Export the Root CA Cert so I can post it on my site (without the private key I imagine)...?
      >PEM is usually understood by clients (without private key, of course)

      OK, so PEM.  BUT HOW do I export the Root CA as PEM without the private key?  I didn't see that as an option when choosing "export" (for the Root Cert) under Tab "Certificate"?  How do I ensure the cert if NOT exported WITH the private key?

      Perhaps I am confused as I should instead export the key (as opposed to Certificate)?  When exporting the "Key" (when I am in the "Private Keys" tab--NOT the "Certificates" tab), there I do see the option to to" Export the Private Part of the Key too" that I could uncheck.  Is that what you mean?

      I am confused....

      >> What format do I use to export the user certs so I can make them available to my clients?
      >PKCS#12

      OK, that's clear.  Is that the Certificate itself or the Private Key or both?  (Sorry for this question but I am really new at this.)  I guess you are answering this question below where you mention "They are then part of the password protected PKCS#12"--so it looks like I need to export the user's certificate (with the private key).  Correct?

      >> What about the user certs' private keys? I generated those when creating the certs--perhaps that was a mistake?
      >They are then part of the password protected PKCS#12

      So here you mean when I export the CERT as PKCS#12, XCA asks me for a password to encrypt and that is what I email to my client--it contains the private key as well.

      >The other possibility was to ask the users to create a PKCS#10 request, import it, >sign it and send back
      >the resulting certificate. This way you never saw the clients private key.

      Chris, that actually sounds much better as I do not see their key.  So for the client to create a PKCS#10 request, they obviously need to install XCA, correct?  And then email me the request, I then import it into my XCA, sign it, export it as PKCS#12 encrypted (as explained above) and email back to client?

      >> Can I email them their certs (encrypted) and tell them in person what the password >>is the open the cert?
      >Yes
      OK. Thanks.

      >> If so, how do I do this--what formats, etc.? 
      >Cert:PKCS#12 ; Password:phonebox or mobile :-)
      OK, no problems there.

      >> "Please generate a self-signed certificate and provide us with the certificate, CA >>certificate,
      >> RSA private key and we will install the certificate for your subdomain after you >>implement the dedicated IP."   
      >> Makes sense?

      >No. If you have a self-signed cert, you don't have a CA cert.
      >If you want automatic trustment of the visitors of your SSL site, you need a Thawte >(example) signed certificate
      >with your hostname secure.mydomain.com as common name. Otherwise the user will see a >warning.

      They will get the warning even if I have the clients install my XCA Root Cert in their browser under "Authority" prior to their visiting my http://secure.mydomain.com ?
      (Anyway, it looks much simpler to just email them their cert as PKCS#12 as you have said.)

       
      • > OK, so PEM. BUT HOW do I export the Root CA as PEM without the private key? I didn't see that as an option when
        > choosing "export" (for the Root Cert) under Tab "Certificate"? How do I ensure the cert if NOT exported WITH the private key?
        Use in the certificate-export dialog the PEM format. If unsure export the format you _think_ is the correct one
        and reimport it and see what it contains (and then cancel the import dialog)
        If the export is not what yu wanted, just delete the file.

        > Perhaps I am confused as I should instead export the key (as opposed to Certificate)? When exporting the "Key"
        > (when I am in the "Private Keys" tab--NOT the "Certificates" tab), there I do see the option to to
        > "Export the Private Part of the Key too" that I could uncheck. Is that what you mean?
        No this is only the key and does not export the certificate.

        > I am confused....
        I see :-)

        > OK, that's clear. Is that the Certificate itself or the Private Key or both? (Sorry for this question but I am really new at this.)
        Both. And if you select "PKCS#12 with certificate chain" it additionally contains the root CA.
        Try the export/import "trick" and you will see...

        > I guess you are answering this question below where you mention "They are then part of the password protected PKCS#12"
        > --so it looks like I need to export the user's certificate (with the private key). Correct?
        correct.

        > So here you mean when I export the CERT as PKCS#12, XCA asks me for a password to encrypt and that is what I email to my client--it contains the private key as well.
        ACK

        > Chris, that actually sounds much better as I do not see their key. So for the client to create a PKCS#10 request,
        > they obviously need to install XCA, correct?
        XCA is one possibility. They could also use OpenSSL. Also the MS IIS also uses PKCS#10 to retrieve a SSL certificate.
        So does cisco. But I think Outlook and the usual browsers don't support it, so they could use XCA then.

        > And then email me the request, I then import it into my XCA, sign it,
        correct
        > export it as PKCS#12 encrypted (as explained above) and email back to client?
        No, since you don't have the private key, you don't need to encrypt their certificate.
        You can simply send it back in PEM format.
        And the user has to import the cert from you into XCA and export it as PKCS#12
        to import it in their browsers.

        Maybe generating the Key for the user is easier for you and your users.

        > They will get the warning even if I have the clients install my XCA Root Cert in their browser
        > under "Authority" prior to their visiting my http://secure.mydomain.com ?
        No

         
    • stef_204
      stef_204
      2007-07-04

      >Use in the certificate-export dialog the PEM format. If unsure export >the format you _think_ is the correct one
      >and reimport it and see what it contains (and then cancel the import >dialog)
      >If the export is not what yu wanted, just delete the file.

      OK, got it on that.

      >No this is only the key and does not export the certificate.
      Understood

      >Both. And if you select "PKCS#12 with certificate chain" it >additionally contains the root CA.
      >Try the export/import "trick" and you will see...

      I get it; choose the export "PKCS#12 with certificate chain".

      >Maybe generating the Key for the user is easier for you and your >users.

      Absolutely.  That is what I will do.

      > They will get the warning even if I have the clients install my XCA >Root Cert in their browser
      > under "Authority" prior to their visiting my >http://secure.mydomain.com ?
      No

      So theoretically, I could post the cert on my website if I have them install the my root CA cert in their browser as Authority; but emailing it will be easier.

      I will test this next couple of days and post back the results....
      Thanks!! :)

       
    • stef_204
      stef_204
      2007-07-11

      Chris,
      All the instructions you gave me above work just GREAT.
      Thanks so much!
      I will test live with a friend today and see if the whole setup works--I may not have created the Root CA properly, etc.; but that would be my fault :)
      I'll post results (hopefully successful) here.