Last post Sep 20, 2009 06:18 AM by aliw
Aug 20, 2008 12:48 PM|My Crystal|LINK
sorry if this is not the right forum for this question.
i want to know where the private key of a certificate is. If it is stored in the certificate file, how to extract it from the certificate in .NET programming.
Please enlighten me, thank you.
Aug 20, 2008 03:34 PM|mgodoy_desenv|LINK
The private key is inside of certificate storage of some profile. It can be in a file too, but it is not much secure.
Take a look to my post at http://forums.asp.net/t/1248449.aspx to know how you can read the private key. But I advise you to read something about that subject. It can be complicated. First of all, you must
have a Primary Key Infrastructure (know as "PKI") to give to someone a secure certificate with a Primary Key.
Sorry about my English. I don´t speak it so much.
security - server certificate
Aug 21, 2008 09:17 AM|My Crystal|LINK
thanks for your reply.
It seems that the private key can be stored in many place, the certificate file itself is not the only place, right?
But i still don't understand if i buy a certificate from a CA, how does the CA give me the private key, is it contained in the certificate file?
i use makecert.exe in .net framework to generate a test certificate. Then i write the following code to try to check the private key, but it is null.
//Reads a file.
internal static byte ReadFile (string fileName)
FileStream f = new FileStream(fileName, FileMode.Open, FileAccess.Read);
int size = (int)f.Length;
byte data = new byte[size];
size = f.Read(data, 0, size);
//Main method begins here.
static void Main(string args)
X509Certificate2 x509 = new X509Certificate2();
//Create X509Certificate2 object from .cer file.
byte rawData = ReadFile("d:\\cert.cer");
object privateKey = x509.PrivateKey;
Aug 21, 2008 01:14 PM|mgodoy_desenv|LINK
I don´t know much about certificates, but I know something. In my experience, I have used certificate authority of Windows Server. It can be installed through of CD. To issue a certificate, you need:
After that, ask to client to check is the private key is installed. Ask to open mmc console and select "certificates" in plug-in options. Exist a lot of storages in a tree. Will be easy to find the certificate if the user choice a frieldy name. Open the
certificate, he will see a little observation saying that the private key is contained.
Sep 20, 2009 06:18 AM|aliw|LINK
The usual sequence is this:
An application generates a private/public key pair. The private key is securely stored and the PUBLIC key only is sent to the certificate authority (CA).
The CA then does appropriate checking of the request (based on its own policies) to verify that the request is genuine and that you are entitled to recieve the type of certificate you have requested. This 'checking' can be automated (for example with an
Enterprise CA set up on a Microsoft server) or manual (for example, the administrator of a stand-alone CA on a Microsoft Server)
If the request is approved, the certificate is generated and contains your public key and is then digitally signed by the CA. This allows the certificate to function as way of distributing your public key to anyone you want. As long as the reciepient trusts
the CA, and the digital signature on your certificate appears to be correct, they can accept the certificate as genuine and then extract your public key from it.
As you see from this description, normally the PRIVATE key does not leave your computer. It is NOT sent to the CA. It is not placed inside the certificate.
So where is it? It is placed in a secure part of your user profile (at least on Microsoft operating systems) OR it can be stored on devices like smart cards. IT is the
application that generated the private/public key pair in the first place that can give you access to the private key. Its not in the certificate.