Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)SSL certificate exporting between servers
fran1942

82 posts

Master Geek

Trusted

#169715 23-Mar-2015 20:45
Send private message

If I have a Windows server with Certificate services installed and I want to export a certificate for use on another Window server how does this work ?
I thought each server certificate was particular to that server i.e. it identifies that specific server. So, at what point do you specify that the certificate to be exported will have to identify another server ?

So in other words, you have a certificate on a root CA which identifes that server. So how can you then export that certificate to a secondary server and have it identify that server ?

Thanks for any clarification.

Create new topic
timmmay
20371 posts

Uber Geek

Trusted
Lifetime subscriber

  #1266263 23-Mar-2015 21:22
Send private message

I'm not sure I'm with you. I'm probably a bit fuzzy in this area so wouldn't hurt to brush up. Can you explain what you're trying to achieve rather than how you're trying to achieve it?

Your CA issues a certificate for a server hosting a domain - or I guess for server identification for SSH and such. If you want to run a cluster of servers for the domain I guess you can put the certificate onto all web servers that are load balanced.

If you want to have a second domain you need a new certificate. If you want to identify a different server you need a different certificate.

As I said above tell us what you're trying to achieve, rather than your method, you might get a more useful reply. Also remember while I have some background in this I haven't used it in ages.

 
 
 
 

Move to New Zealand's best fibre broadband service (affiliate link). Note that to use Quic Broadband you must be comfortable with configuring your own router.
fran1942

82 posts

Master Geek

Trusted

  #1266288 23-Mar-2015 21:47
Send private message

hi there, thanks for that. I am really after a conceptual understanding, not a practical example

So your CA issues certificates to your individual web servers and your clients have the public cert.
When the clients present their public certs they want to prove the identity of the individual web server they are connected to.
How do they do this ?

Thank you kindly.

wasabi2k
2094 posts

Uber Geek


  #1266328 23-Mar-2015 23:00
Send private message

Certificates operate on a chain of trust.

At the root of that chain is a root CA. This can be either a corporate CA at your workplace, or an online one like Verisign, GoDaddy etc. If the CA certificate is in your computer's trusted Root CA store, your PC will trust any and all certificates issued by it, or its intermediate CAs.

Every certificate has 2 components - a private key and a public key. The public key is just that, public. When you go to https://www.bank.com, your browser checks the certificate has been issues by a valid CA, then downloads the public key. It encrypts your request with that public key.

The private key is also just that, private. The server in question decrypts the traffic that has been encrypted with the public key, using the private key to get plaintext data. The private key must be kept private and secured appropriately.

Now as to how they work, each certificate has one or many (as in a UCC or SAN certificate) subject names. This is usually a fqdn like www.banana.com, or server.domainname.com. If the subject name does not match the address you are requesting you will get an error. e.g. if you go to www.banana.com and the certificate subject is secure.banana.com, you will get an error.

Now in Windows world - you have a lot of auto-enrolled certs, which are for users and computers and they enrol themselves automatically using their computer names like computer1.domain.local. These don't tend to be used across multiple machines.

However in the online/web world, you will have lots of servers/devices with the same ssl certs.

To achieve this you must export the certificate with private key - then import both certificate and private key at the other end. This is an option when you export the certificate using the Certificates MMC snap in.



Zeon
3912 posts

Uber Geek

Trusted

  #1266346 24-Mar-2015 00:43
Send private message

A certificate is usually tied to a domain name e.g. https://example.com would denote example.com has an SSL certificate that was issued by an organisation where the chain of trust would end in some pre-installed root certificate on your computer (which ships with Windows). Keep thinking chain of trust - if you have the root CA on your machine (most are pre-installed like Verisign, Comodo etc.) and the company with the root has issued a certificate for any domain it will be trusted.

The key thing in certificates in public/private key combo. Typically your server will have the private key and the public key is visible to the clients. To move certificates in windows, the easiest way is to run start->run type in "mmc". Then add the "certifcates" snap-in. Find your certificate, right click and export. Ensure you include the private key and it usually goes to .pfx format which can be re-imported using the same snap-in on another machine.




Speedtest 2019-10-14

fran1942

82 posts

Master Geek

Trusted

  #1266408 24-Mar-2015 08:33
Send private message

thanks guys, I am almost there. Regarding these comments:

"Now in Windows world - you have a lot of auto-enrolled certs, which are for users and computers and they enrol themselves automatically using their computer names like computer1.domain.local. These don't tend to be used across multiple machines.
However in the online/web world, you will have lots of servers/devices with the same ssl certs.
To achieve this you must export the certificate with private key - then import both certificate and private key at the other end. This is an option when you export the certificate using the Certificates MMC snap in."

So when a root CA 'exports' the cert, and the secondary server 'imports' the cert, does this re-identify the certificate as belonging to the secondary server that is importing it ?
i.e. now the cert can be used to identify the secondary server rather than the original root CA server ?

Thanks kindly.

timmmay
20371 posts

Uber Geek

Trusted
Lifetime subscriber

  #1266409 24-Mar-2015 08:36
Send private message

I suggest you read up on certificate chains. Certificates refer to the root CA server, they don't identify it as such.

Create new topic





News and reviews »

Synology DS925+ Review
Posted 23-Apr-2025 15:00

Synology Announces DiskStation DS925+ and DX525 Expansion Unit
Posted 23-Apr-2025 10:34

JBL Tour Pro 3 Review
Posted 22-Apr-2025 16:56

Samsung 9100 Pro NVMe SSD Review
Posted 11-Apr-2025 13:11

Motorola Announces New Mid-tier Phones moto g05 and g15
Posted 4-Apr-2025 00:00

SoftMaker Releases Free PDF editor FreePDF 2025
Posted 3-Apr-2025 15:26

Moto G85 5G Review
Posted 30-Mar-2025 11:53

Ring Launches New AI-Powered Smart Video Search
Posted 27-Mar-2025 16:30

OPPO RENO13 Series Launches in New Zealand
Posted 27-Mar-2025 05:00

Sony Electronics Announces the WF-C710N Truly Wireless Noise Cancelling Earbuds
Posted 26-Mar-2025 20:37

New Harman Kardon Portable Home Speakers Bring Performance and Looks Together
Posted 26-Mar-2025 20:30

Data Insight Launches The Data Academy
Posted 26-Mar-2025 20:21

Oclean AirPump A10 Portable Water Flosser Wins iF Design Award 2025
Posted 20-Mar-2025 12:05

OPPO Find X8 Pro Review
Posted 14-Mar-2025 14:59

Samsung Galaxy Ring Now Available in New Zealand
Posted 14-Mar-2025 13:52








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac



RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
Hatch
GoodSync
Backblaze backup
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright