no option to export Certificate private key

[Guest]

Hi,

I am new learning how to setup MS Certificate for Cisco VPN client. The MS
Certificate runs on Windows 2000 AD with 1 way trust with NT 4 domain. Cisco
VPN client is authenticated agains Cisco Radius Server which looks up the
external database from NT 4 domain.

VPN clients are able to request for a new certiicate from MS Certificate
server & logon successfully. BUT, what disappoints me is the generated
certificate from user's machine is not transferrable to another PC. My
preference is to prevent users to create their own certificate. I wish all
certificates to be created & controlled by the administrator. I can export
the certificate but I am unable to export the user's private key. I guess
that's the reason why the certificate is not transferrable between machines.
Am I right? But what's wrong with my configuration - why the option of
exporting the private key is not enabled?

Thanks heaps to whoever that can guide me from here.

Cheerrs.
Seekr01

 

[Steven L Umbach]

You would not want to export the certificates/private keys anyhow - they are issued
to computer names as shown on the certificate. You can control what computer get
certificates by enabling auto enroll at the OU level where you put the computers you
want to receive a machine certificate, even temporarily and you can also control what
computers receive certificates by configuring security on the certificate template in
AD Sites and Services where you have to select view/show services node first. Then
for example go to the machine template and view properties/security where you will
see that domain computers have the enroll permission.You could add domain computers
to a global group that you want to receive that certificate and replace domain
computers with your global group for enroll permissions. -- Steve

 

[Guest]

Steve, Thanks very much for your assistance. If we can not export the private
key, does it mean the machine needs to request a new certificate if one day
it crashes hence needs rebuilt? I always treat the export function as some
sort of "backup/restore" purpose too - as I have seen many online documents
about exporting keys.
Rgds,
Seeker01

 

[Steven L Umbach]

Of course a full backup would be a way to restore your certificates. A
System State backup might backup machine certificates, I am not 100 percent
sure. Most certificates can simply be requested again if the machine crashes
and not cause a problem. The BIG exception that you may be referring to are
certificates used to encrypt and decrypt files such as for EFS. EFS private
keys are by default exportable to a password protected .pfx file and SHOULD
be exported because if a computer crashes and there are EFS files on it you
can lose permanent access to your ecrypted EFS files if you do not have the
original private key to restore to the operating system. --- Steve

 

[Avi Ben-Menahem [MSFT]]

Few clarification questions:
1. How are you doing the enrollment?
2. What template are you using?

 

[Guest]

Dear all,

I knew how to enable the export option now. Thanks very much for your help.

Rgs,Seeker01