Problem when requesting SSL certs with Vista......

[mlai]

Just an observation:
I tried obtaining SSL certs with Vista thru Thawte (their free personal
email certs). I had to put www.thawte.com in a Trusted Zone and disable
protected mode for the trusted zone for it to work. However, when I import
the issued certificates, I do not get an option to mark the private key as
exportable and consequently, I cannot export the cert for backup and
installation on my laptop.

If I request the cert from XPSP2 (also IE7), I can mark the cert as
exportable and can export the cert in PFX format to be used on another
machine. The process is completely identical but it works on XPSP2 but not
Vista RTM (I am on x64).

Can anybody shed some light on this? It will be a major problem as I will
be moving to a pure Vista environment soon for my home network (which has 7
machines......)

Please help.
TIA.

 

[mlai]

I think the problem is bigger than just Thawte. Startcom fails as well as
others where you can make requests for a cert to be issued via the browser.
So for the moment, the solution to requesting personal certs seems to be
either:

1) Request via a XP machine, and export a P12/PFX version of the cert and
manually import into Vista. (can be Class 1 or class 2)
or
2) Do it via a completely manual route (paper form to an official CA like
government sanctioned ID services) and physcial appearance at
collection..... (which will make the cert class 2, which in turns almost
always mean no freebies.......)

 

[mlai]

Come to think of it, it probably has a lot to do with how Vista handles
securities instead of how these CA issues certificates. Looking at the
flow, the private key
was generated by various flavors MS cryptographic services. The private key
is probably saved on the requesting machine somewhere and also related to
the issuing CAs.

Here comes the potential problem. In Vista, you have to jump thru loops and
hoops to import certs in the sense that you need to get pass the UAC prompt
which temporarily changes the account credentials to achieve administrator
permissions.

The importing process probably broke down somewhere here as the account
requesting the cert is not the same as the one to import the cert and thus
when the cert is imported, it doesn't see the private key generated via the
user account. If that is the case, the cert importing component probably
assumed that the account (the admin account) does not have the private key
corresponding to the cert and thus does not present the Mark Private Key as
exportable option.

Once the cert is imported, to view the cert does not require admin
permission and thus the user can see (or rather Vista can see) the
corresponding private key (for the user account) matching the cert so it
correctly mentions that "you have a private key corresponding to this
cert....." blah blah blah. However, because the user cannot explicitly mark
the private key as exportable during the import process, the private key by
default is made not exportable.

This will be a huge issue with online issuing cert services for personal
uses. I have not tried requesting services related (IIS) certs from Vista
yet. With my experience with personal certs importing/exporting problems, I
probably won't at this stage..........

Another MS added "feature" to disable what is a perfectly fine process in
previous products.......

 

[Guest]

Hello Mlai,

Curiosity has got the best of me, what is your intended purpose for
importing free certs from Thawte ?

Reluctant for sharing suggestions not knowing your desired outcome.

 

[mlai]

Secured Email. I try to sign all the emails that I send to people so that
my friends and business associates knows that the message is genuine from
myself.

 

[Guest]

Miai,

Have you tried the below link for additional assistance? With your knowledge
and previous experience using certs, can not imagine why you are experiencing
difficulties.

http://search.microsoft.com/results.aspx?secure+email+certificates+&l=1&mkt=en-US&FORM=QBME1

 

[Guest]

Mlai,

Not certain, but it appears that "free" certificates might be a part of
history, hence, the real source for your conflict.

Although, one Site from the previously provided Link does offer free certs
for "personal" use.

 

[Guest]

Sounds oddly similar to the problem I've got, under the heading: SSL problems
with Vista. Only solution I've got is to keep an XP/2003 machine around and
export from that one, which is obviously a PITA. And we're using 32-bit.

I just can't figure it out, I thought it must be some weird GPO setting but
I tried completely disabling all GPOs and it still doesn't work. But yet on
XP SP2/2003 SP1 with IE7, it all works fine.

Is there some fundamental difference in the way Vista handles CAs and
certificates?

Steve.

 

[Haitao Li]

I just checked comodo web site and their script does not support Vista yet,
so it's probably a different problem.

mlai: is the problem with thawte's SSL or email cert? I got a little
confused by your post. Do you remember which file format was sent back from
thawte server? .cer or .pfx?