Problem when requesting SSL certs with Vista......

Just an observation:
I tried obtaining SSL certs with Vista thru Thawte (their free personal
email certs). I had to put www.thawte.com in a Trusted Zone and disable
protected mode for the trusted zone for it to work. However, when I import
the issued certificates, I do not get an option to mark the private key as
exportable and consequently, I cannot export the cert for backup and
installation on my laptop.

If I request the cert from XPSP2 (also IE7), I can mark the cert as
exportable and can export the cert in PFX format to be used on another
machine. The process is completely identical but it works on XPSP2 but not
Vista RTM (I am on x64).

Can anybody shed some light on this? It will be a major problem as I will
be moving to a pure Vista environment soon for my home network (which has 7
machines......)

Please help.
TIA.

I noticed the same problem, and Thawte seems to be aware of it. It is really
up to them to rewrite their request page so it works. Some of the hardening
in IE on Vista must be breaking it.

"mlai" wrote:

> Just an observation:
> I tried obtaining SSL certs with Vista thru Thawte (their free personal
> email certs). I had to put www.thawte.com in a Trusted Zone and disable
> protected mode for the trusted zone for it to work. However, when I import
> the issued certificates, I do not get an option to mark the private key as
> exportable and consequently, I cannot export the cert for backup and
> installation on my laptop.
>
> If I request the cert from XPSP2 (also IE7), I can mark the cert as
> exportable and can export the cert in PFX format to be used on another
> machine. The process is completely identical but it works on XPSP2 but not
> Vista RTM (I am on x64).
>
> Can anybody shed some light on this? It will be a major problem as I will
> be moving to a pure Vista environment soon for my home network (which has 7
> machines......)
>
> Please help.
> TIA.
>

Come to think of it, it probably has a lot to do with how Vista handles
securities instead of how these CA issues certificates. Looking at the
flow, the private key
was generated by various flavors MS cryptographic services. The private key
is probably saved on the requesting machine somewhere and also related to
the issuing CAs.

Here comes the potential problem. In Vista, you have to jump thru loops and
hoops to import certs in the sense that you need to get pass the UAC prompt
which temporarily changes the account credentials to achieve administrator
permissions.

The importing process probably broke down somewhere here as the account
requesting the cert is not the same as the one to import the cert and thus
when the cert is imported, it doesn't see the private key generated via the
user account. If that is the case, the cert importing component probably
assumed that the account (the admin account) does not have the private key
corresponding to the cert and thus does not present the Mark Private Key as
exportable option.

Once the cert is imported, to view the cert does not require admin
permission and thus the user can see (or rather Vista can see) the
corresponding private key (for the user account) matching the cert so it
correctly mentions that "you have a private key corresponding to this
cert....." blah blah blah. However, because the user cannot explicitly mark
the private key as exportable during the import process, the private key by
default is made not exportable.

This will be a huge issue with online issuing cert services for personal
uses. I have not tried requesting services related (IIS) certs from Vista
yet. With my experience with personal certs importing/exporting problems, I
probably won't at this stage..........

Another MS added "feature" to disable what is a perfectly fine process in
previous products.......

"Jesper" <Jesper@discussions.microsoft.com> wrote in message
news:4C88F0AC-0806-48AF-B2FA-6945D26CB562@microsoft.com...
>I noticed the same problem, and Thawte seems to be aware of it. It is
>really
> up to them to rewrite their request page so it works. Some of the
> hardening
> in IE on Vista must be breaking it.
>
> "mlai" wrote:
>
>> Just an observation:
>> I tried obtaining SSL certs with Vista thru Thawte (their free personal
>> email certs). I had to put www.thawte.com in a Trusted Zone and disable
>> protected mode for the trusted zone for it to work. However, when I
>> import
>> the issued certificates, I do not get an option to mark the private key
>> as
>> exportable and consequently, I cannot export the cert for backup and
>> installation on my laptop.
>>
>> If I request the cert from XPSP2 (also IE7), I can mark the cert as
>> exportable and can export the cert in PFX format to be used on another
>> machine. The process is completely identical but it works on XPSP2 but
>> not
>> Vista RTM (I am on x64).
>>
>> Can anybody shed some light on this? It will be a major problem as I
>> will
>> be moving to a pure Vista environment soon for my home network (which has
>> 7
>> machines......)
>>
>> Please help.
>> TIA.
>>

Hello Mlai,

Curiosity has got the best of me, what is your intended purpose for
importing free certs from Thawte ?

Reluctant for sharing suggestions not knowing your desired outcome.

--
Firewall


"mlai" wrote:

> Just an observation:
> I tried obtaining SSL certs with Vista thru Thawte (their free personal
> email certs). I had to put www.thawte.com in a Trusted Zone and disable
> protected mode for the trusted zone for it to work. However, when I import
> the issued certificates, I do not get an option to mark the private key as
> exportable and consequently, I cannot export the cert for backup and
> installation on my laptop.
>
> If I request the cert from XPSP2 (also IE7), I can mark the cert as
> exportable and can export the cert in PFX format to be used on another
> machine. The process is completely identical but it works on XPSP2 but not
> Vista RTM (I am on x64).
>
> Can anybody shed some light on this? It will be a major problem as I will
> be moving to a pure Vista environment soon for my home network (which has 7
> machines......)
>
> Please help.
> TIA.
>

Secured Email. I try to sign all the emails that I send to people so that
my friends and business associates knows that the message is genuine from
myself.

"FireWall2" <FireWall2@discussions.microsoft.com> wrote in message
news06C5B1D-87CC-4BF4-A7F6-3CE288A83EFE@microsoft.com...
>
> Hello Mlai,
>
> Curiosity has got the best of me, what is your intended purpose for
> importing free certs from Thawte ?
>
> Reluctant for sharing suggestions not knowing your desired outcome.
>
> --
> Firewall
>
>
> "mlai" wrote:
>
>> Just an observation:
>> I tried obtaining SSL certs with Vista thru Thawte (their free personal
>> email certs). I had to put www.thawte.com in a Trusted Zone and disable
>> protected mode for the trusted zone for it to work. However, when I
>> import
>> the issued certificates, I do not get an option to mark the private key
>> as
>> exportable and consequently, I cannot export the cert for backup and
>> installation on my laptop.
>>
>> If I request the cert from XPSP2 (also IE7), I can mark the cert as
>> exportable and can export the cert in PFX format to be used on another
>> machine. The process is completely identical but it works on XPSP2 but
>> not
>> Vista RTM (I am on x64).
>>
>> Can anybody shed some light on this? It will be a major problem as I
>> will
>> be moving to a pure Vista environment soon for my home network (which has
>> 7
>> machines......)
>>
>> Please help.
>> TIA.
>>

Miai,

Have you tried the below link for additional assistance? With your knowledge
and previous experience using certs, can not imagine why you are experiencing
difficulties.

http://search.microsoft.com/results....-US&FORM=QBME1
--
Firewall

Disclaimer:
Accept Vista as it is, or, Abandon Vista


"mlai" wrote:

> Secured Email. I try to sign all the emails that I send to people so that
> my friends and business associates knows that the message is genuine from
> myself.
>
> "FireWall2" <FireWall2@discussions.microsoft.com> wrote in message
> news06C5B1D-87CC-4BF4-A7F6-3CE288A83EFE@microsoft.com...
> >
> > Hello Mlai,
> >
> > Curiosity has got the best of me, what is your intended purpose for
> > importing free certs from Thawte ?
> >
> > Reluctant for sharing suggestions not knowing your desired outcome.
> >
> > --
> > Firewall
> >
> >
> > "mlai" wrote:
> >
> >> Just an observation:
> >> I tried obtaining SSL certs with Vista thru Thawte (their free personal
> >> email certs). I had to put www.thawte.com in a Trusted Zone and disable
> >> protected mode for the trusted zone for it to work. However, when I
> >> import
> >> the issued certificates, I do not get an option to mark the private key
> >> as
> >> exportable and consequently, I cannot export the cert for backup and
> >> installation on my laptop.
> >>
> >> If I request the cert from XPSP2 (also IE7), I can mark the cert as
> >> exportable and can export the cert in PFX format to be used on another
> >> machine. The process is completely identical but it works on XPSP2 but
> >> not
> >> Vista RTM (I am on x64).
> >>
> >> Can anybody shed some light on this? It will be a major problem as I
> >> will
> >> be moving to a pure Vista environment soon for my home network (which has
> >> 7
> >> machines......)
> >>
> >> Please help.
> >> TIA.
> >>
>

Mlai,

Not certain, but it appears that "free" certificates might be a part of
history, hence, the real source for your conflict.

Although, one Site from the previously provided Link does offer free certs
for "personal" use.
--
Firewall

Disclaimer:
Accept Vista as it is, or, Abandon Vista


"mlai" wrote:

> Secured Email. I try to sign all the emails that I send to people so that
> my friends and business associates knows that the message is genuine from
> myself.
>
> "FireWall2" <FireWall2@discussions.microsoft.com> wrote in message
> news06C5B1D-87CC-4BF4-A7F6-3CE288A83EFE@microsoft.com...
> >
> > Hello Mlai,
> >
> > Curiosity has got the best of me, what is your intended purpose for
> > importing free certs from Thawte ?
> >
> > Reluctant for sharing suggestions not knowing your desired outcome.
> >
> > --
> > Firewall
> >
> >
> > "mlai" wrote:
> >
> >> Just an observation:
> >> I tried obtaining SSL certs with Vista thru Thawte (their free personal
> >> email certs). I had to put www.thawte.com in a Trusted Zone and disable
> >> protected mode for the trusted zone for it to work. However, when I
> >> import
> >> the issued certificates, I do not get an option to mark the private key
> >> as
> >> exportable and consequently, I cannot export the cert for backup and
> >> installation on my laptop.
> >>
> >> If I request the cert from XPSP2 (also IE7), I can mark the cert as
> >> exportable and can export the cert in PFX format to be used on another
> >> machine. The process is completely identical but it works on XPSP2 but
> >> not
> >> Vista RTM (I am on x64).
> >>
> >> Can anybody shed some light on this? It will be a major problem as I
> >> will
> >> be moving to a pure Vista environment soon for my home network (which has
> >> 7
> >> machines......)
> >>
> >> Please help.
> >> TIA.
> >>
>

same problem for Comodo free email certs

"mlai" wrote:

> Just an observation:
> I tried obtaining SSL certs with Vista thru Thawte (their free personal
> email certs). I had to put www.thawte.com in a Trusted Zone and disable
> protected mode for the trusted zone for it to work. However, when I import
> the issued certificates, I do not get an option to mark the private key as
> exportable and consequently, I cannot export the cert for backup and
> installation on my laptop.
>
> If I request the cert from XPSP2 (also IE7), I can mark the cert as
> exportable and can export the cert in PFX format to be used on another
> machine. The process is completely identical but it works on XPSP2 but not
> Vista RTM (I am on x64).
>
> Can anybody shed some light on this? It will be a major problem as I will
> be moving to a pure Vista environment soon for my home network (which has 7
> machines......)
>
> Please help.
> TIA.
>

Sounds oddly similar to the problem I've got, under the heading: SSL problems
with Vista. Only solution I've got is to keep an XP/2003 machine around and
export from that one, which is obviously a PITA. And we're using 32-bit.

I just can't figure it out, I thought it must be some weird GPO setting but
I tried completely disabling all GPOs and it still doesn't work. But yet on
XP SP2/2003 SP1 with IE7, it all works fine.

Is there some fundamental difference in the way Vista handles CAs and
certificates?

Steve.

"mlai" wrote:

> Just an observation:
> I tried obtaining SSL certs with Vista thru Thawte (their free personal
> email certs). I had to put www.thawte.com in a Trusted Zone and disable
> protected mode for the trusted zone for it to work. However, when I import
> the issued certificates, I do not get an option to mark the private key as
> exportable and consequently, I cannot export the cert for backup and
> installation on my laptop.
>
> If I request the cert from XPSP2 (also IE7), I can mark the cert as
> exportable and can export the cert in PFX format to be used on another
> machine. The process is completely identical but it works on XPSP2 but not
> Vista RTM (I am on x64).
>
> Can anybody shed some light on this? It will be a major problem as I will
> be moving to a pure Vista environment soon for my home network (which has 7
> machines......)
>
> Please help.
> TIA.
>

I just checked comodo web site and their script does not support Vista yet,
so it's probably a different problem.

mlai: is the problem with thawte's SSL or email cert? I got a little
confused by your post. Do you remember which file format was sent back from
thawte server? .cer or .pfx?

"Michael" <Michael@discussions.microsoft.com> wrote in message
news:A7583964-8676-42AE-9F4E-0F56CBC6142A@microsoft.com...
> same problem for Comodo free email certs
>
> "mlai" wrote:
>
>> Just an observation:
>> I tried obtaining SSL certs with Vista thru Thawte (their free personal
>> email certs). I had to put www.thawte.com in a Trusted Zone and disable
>> protected mode for the trusted zone for it to work. However, when I
>> import
>> the issued certificates, I do not get an option to mark the private key
>> as
>> exportable and consequently, I cannot export the cert for backup and
>> installation on my laptop.
>>
>> If I request the cert from XPSP2 (also IE7), I can mark the cert as
>> exportable and can export the cert in PFX format to be used on another
>> machine. The process is completely identical but it works on XPSP2 but
>> not
>> Vista RTM (I am on x64).
>>
>> Can anybody shed some light on this? It will be a major problem as I
>> will
>> be moving to a pure Vista environment soon for my home network (which has
>> 7
>> machines......)
>>
>> Please help.
>> TIA.
>>