Come to think of it, it probably has a lot to do with how Vista handles
securities instead of how these CA issues certificates. Looking at the
flow, the private key
was generated by various flavors MS cryptographic services. The private key
is probably saved on the requesting machine somewhere and also related to
the issuing CAs.
Here comes the potential problem. In Vista, you have to jump thru loops and
hoops to import certs in the sense that you need to get pass the UAC prompt
which temporarily changes the account credentials to achieve administrator
The importing process probably broke down somewhere here as the account
requesting the cert is not the same as the one to import the cert and thus
when the cert is imported, it doesn't see the private key generated via the
user account. If that is the case, the cert importing component probably
assumed that the account (the admin account) does not have the private key
corresponding to the cert and thus does not present the Mark Private Key as
Once the cert is imported, to view the cert does not require admin
permission and thus the user can see (or rather Vista can see) the
corresponding private key (for the user account) matching the cert so it
correctly mentions that "you have a private key corresponding to this
cert....." blah blah blah. However, because the user cannot explicitly mark
the private key as exportable during the import process, the private key by
default is made not exportable.
This will be a huge issue with online issuing cert services for personal
uses. I have not tried requesting services related (IIS) certs from Vista
yet. With my experience with personal certs importing/exporting problems, I
probably won't at this stage..........
Another MS added "feature" to disable what is a perfectly fine process in
"Jesper" <Jesper@discussions.microsoft.com> wrote in message
>I noticed the same problem, and Thawte seems to be aware of it. It is
> up to them to rewrite their request page so it works. Some of the
> in IE on Vista must be breaking it.
> "mlai" wrote:
>> Just an observation:
>> I tried obtaining SSL certs with Vista thru Thawte (their free personal
>> email certs). I had to put www.thawte.com in a Trusted Zone and disable
>> protected mode for the trusted zone for it to work. However, when I
>> the issued certificates, I do not get an option to mark the private key
>> exportable and consequently, I cannot export the cert for backup and
>> installation on my laptop.
>> If I request the cert from XPSP2 (also IE7), I can mark the cert as
>> exportable and can export the cert in PFX format to be used on another
>> machine. The process is completely identical but it works on XPSP2 but
>> Vista RTM (I am on x64).
>> Can anybody shed some light on this? It will be a major problem as I
>> be moving to a pure Vista environment soon for my home network (which has
>> Please help.