4

I've been trying to understand something. When you generate a CSR from IIS, how is the private key kept as a secret, or is it? Do CA's email you a certificate that includes your private key? Because nothing seems to tell me otherwise, and nobody should know your private key but you. Instructions to generate a CSR from IIS typically go like this: http://www.digicert.com/csr-creation-microsoft-iis-8.htm

Alexandru
  • 175
  • 7

1 Answers1

5

A certificate, properly named, does not include a private key. A certificate contains a public key, and an identity, and is signed by a Certification Authority. Unfortunately, a number of widespread documentations use the term "certificate" to designate the combination of a certificate and the corresponding private key; this spreads confusion.

A certificate request (so-called "CSR") contains only the public key, not the private key. When IIS generates a CSR, it actually generates a new key pair (public and private key), then wraps the public key into the certificate request and signs it using the private key. The private key does not go anywhere; the CA never sees it. When the CA receives the CSR, it takes the public key from it, puts it into a certificate that it signs, and sends back. At no point does the private key leaves your machine, and that is how things should be done.


Now some CA insist on generating the private/public key pair themselves, and sending both the private key and the certificate to you. This makes things technically simpler for the CA, but entails potential security issues, because then the CA also has a copy of the private key, and the private key has somehow to travel back to you. Usually, a PKCS#12 archive (aka "PFX file") is used, because that format includes password-based protection.

CA-side private key generation can be a good idea when the private key is used for encrypting data permanently (e.g. a private key for encrypted emails), because loss of that key implies loss of data. Thus, that kind of private key should be backed up, and the CA is a nice central place for such backups. However, this does not apply to SSL, where the private key is used only transiently for connection establishment. Therefore, when the certificate is for IIS, then server-side private key generation should be used, and that's what IIS does.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • I'm still confused about something. You explained that IIS generates public and private key pair, and that certificate authorities sign a CSR that has a public key signed from our private key, but how does that actually work thereafter? I mean, does IIS reintroduce the private key into the certificate? I'm guessing no, because you said a certificate doesn't have a private key, but then how does the underlying encryption work when someone tries to establish a secure communication channel to my server using RSA if the certificate has no private key for decryption? – Alexandru Aug 03 '14 at 13:42
  • A certificate never contains a private key. IIS _uses_ the private key as part of the SSL protocol, and _also_ sends the certificate to the client. The client learns the server's public key from the certificate, and uses it "mathematically". See [this answer](http://security.stackexchange.com/questions/6290/how-is-it-possible-that-people-observing-an-https-connection-being-established-w/6296#6296) and then [that one](http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work/20847#20847). – Thomas Pornin Aug 03 '14 at 13:52
  • Okay, but if a certificate doesn't contain a private key, where does IIS store that private key, and how does it know to associate that private key with that certificate? – Alexandru Aug 03 '14 at 13:54
  • 2
    The private key is stored where Windows does such storage (in the "Cryptographic Service Providers"), where it has a unique (randomly generated) name. IIS (in fact, Windows) also keeps around a copy of the CSR around in a dedicated certificate store, with a link (by name) to the private key. When the CA sends the certificate back, Windows notices that the public key in the certificate matches that of the saved CSR, and thus can store the certificate in a certificate store with the same link (still by name) to the private key. – Thomas Pornin Aug 03 '14 at 13:56
  • And the server essentially has to pull this private key and use it every time the server needs to do a key exchange with a new client? Thanks by the way, that's exactly what I was looking for. – Alexandru Aug 03 '14 at 14:01
  • Hey Thomas, I wrote an article on all of this: http://www.dima.to/blog/?p=133 Could you please have a quick look and tell me if its accurate? – Alexandru Aug 03 '14 at 14:48