Some of you know my uh.. dislike for Microsoft products, and unfortunately, our (OpenSSL) CA at work expired, and since we’re helping clients use MS CA 2003, we figured our new CA would be an MS CA. Other than the major hassles my boss went through to install and configure it. Granted – once it’s installed and initially configured, it’s easier to create certificate templates than in OpenSSL. We also decided on separate signature and encryption certs – not a problem, in fact pretty standard. The only problem here was that signature certs are forcefully imported into CAPI and marked as non-exportable – big problem when you want to use Firefox/Thunderbird (unless someone’s come up with a PKCS #11 interface for CAPI – if so, I want to know about it).

I managed to figure out a sucessful way of getting an exportable certificate. Granted, this might not work on all MS CA’s, because you might not have the option of submitting an advanced request, but we pretty much have the default settings other than our certificate template, and it worked for me.

This requires access to OpenSSL of some sort and (unfortunately) a windows machine with IE. I happened to use Cygwin’s OpenSSL since it’s on my workstation and easy access to IE and Thunderbird. The IE requirement may be specific to our configuration – we’re set up with NTLM authentication for the CA to immediately issue us certificates – YMMV.

First generate your private key and request in OpenSSL:

openssl req -new -keyout mykey.key -out myrequest.csr -days 1825


Browse to the CA’s interface, instead of choosing to “create and submit a request”, choose:
“Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
This will let you cut and paste or browse to a file to include. Insert the myrequest.csr file we created with openssl earlier. Choose the other options as appropriate to your situation.

Once the CA has issued your cert, you need to download it in Base 64 format. You might want to also download it as DER format to import into CAPI if you need it – caution, the default filename is certnew.cer for both.

Copy (or Save) the Base 64 file into the same directory as your .key file. Now we create the PKCS #12 file (.p12) which you can use to import the key into most programs which will need it – like Firefox and Thunderbird.:

openssl pkcs12 -export -inkey mykey.key -in certificate file from CA -out mycert.p12


You now have an exportable key and certificate. Keep in mind though that this isn’t the best idea sometimes. There’s a reason the certificate is marked as unexportable and keep that in mind before you override that security willy-nilly.

WARNING: the p12 file you created has your private key in it – guard it as you would your private key!

This entry was posted on Monday, February 14th, 2005 at 10:23 am and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Possibly Related