Q: I need to export a certificate and private key from my Windows machine and need to share these with the different administrators of our branch offices, so they can import them on one of their local member servers. What’s the most secure and easy way to do this?
A: Since the early days of Windows PKI Microsoft allows you to export a certificate and its private key to a PKCS#12-formatted file (*.pfx). This file is protected using a password that must be provided when importing the certificate and its private key. Sharing this password between different administrators can create practical and security challenges. For example, how will the password be shared: via email, verbally, or another out-of-band mechanism?
In Windows 8 and Windows Server 2012 it is now possible to select an AD account to protect the PKCS#12-formatted files. This means that it sufficient to be logged on using the selected account or with an account that is a member of the selected AD group account to unlock the content of the PKCS#12 file and import it. For this purpose Microsoft has modified the Windows 8 and Windows Server 2012 certificate export and import wizards and dialogs to allow you to specify an AD user or group account to secure the access to the PKCS#12 file. Under the hood the certificate export wizard still generates a password to protect the PKCS#12 file: the only difference is that the password is now randomly and automatically generated by the wizard and then securely stored in the PKCS#12 file using a secret that is linked to the selected AD user or group account.
This feature only works when the certificate and private key are exported to a PKCS#12 file from a Windows 8 or Windows Server 2012 or later machine. The client machine must also be joined to an AD domain that has a Windows Server 2012 DC. To also allow the file to be imported on older Windows systems, the new certificate export wizard supports the protection of the PKCS#12 file by both the new and the old mechanism. This means you can as well select an AD user or group account, and enter a password to secure the file. You can also specify more than a single user or group account to protect the file.
More information on this feature can also be found in this Microsoft Technet article: http://social.technet.microsoft.com/wiki/contents/articles/13922.certificate-pfx-export-and-import-using-ad-ds-account-protection.aspx.
Jan De Clercq is a member of HP’s Technology Consulting IT Assurance Portfolio team. He focuses on cloud security, identity and access management, architecture for Microsoft-rooted IT infrastructures, and the security of Microsoft products. He's the author of Windows Server 2003 Security Infrastructures (Digital Press) and coauthor of Microsoft Windows Security Fundamentals (Digital Press) and Cloud Computing Protected: Security Assessment Handbook
(Recursive Press). You can reach him at [email protected]