Certificate Import problems

I've just got an X.509 certificate from CAcert and imported it into the
Windows 10 personal folder using Certificate Manager (certmgr.msc).
CAcert are listed in the Intermediate and Trusted Root Authorities.
However, neither Thunderbird nor Chrome can see the new certificate, and
Control Panel Internet options Content Certificates doesn't show
it at all. I've done this umpteen times over the years in Windows 7 with
no difficulty at all. Any ideas what my problem might be with Windows
10? Is it known to have problems with certification?

--
Tetbury, Gloucestershire, England

Just when I was getting used to yesterday, along came today.

Bob Henson wrote:

neither Thunderbird nor Chrome can see the new certificate

Neither use the windows certificate store, you'll need to import it
their own stores

TB:

Tools/Options/Advanced/Certificates/Manage

Chrome:

Settings/Advanced/ManageCertificates/Import

On 22/10/2017 1:05 PM, Andy Burns wrote:
Bob Henson wrote:

neither Thunderbird nor Chrome can see the new certificate

Neither use the windows certificate store, you'll need to import it
their own stores

TB:

Tools/Options/Advanced/Certificates/Manage

Chrome:

Settings/Advanced/ManageCertificates/Import



They won't import. There's an error message from Thunderbird saying that
the key that was present when the certificate was generated isn't
present. As it's part of the certificate, it can't be - Catch 22.

I've read a whole load of very technical stuff about the problem
(Install error 26352 is not unusual amongst developers, apparently.)
I've cleared all the entries for the CA and reinstalled, but it still
won't play ball.

Thanks for replying anyway - I'll hang on to see if anyone has any other
ideas - but as it is not essential, I may have to write this off as yet
another thing that I had in Windows 7 that doesn't work in Windows 10.
Oh Boy, there are a lot of them!

--
Tetbury, Gloucestershire, England

The penalty for bigamy is two Mothers-in-Law.

Bob Henson wrote:

They won't import. There's an error message from Thunderbird saying that
the key that was present when the certificate was generated isn't
present.

You can export them from the windows certificate store (use certmgr.msc)
in pkcs12/pfx format which allows the key/cert pair to be exported as
one, then import that.

Better hope the key hasn't been marked as "not for export".

On 22/10/2017 4:20 PM, Andy Burns wrote:
Bob Henson wrote:

They won't import. There's an error message from Thunderbird saying that
the key that was present when the certificate was generated isn't
present.

You can export them from the windows certificate store (use certmgr.msc)
in pkcs12/pfx format which allows the key/cert pair to be exported as
one, then import that.

Better hope the key hasn't been marked as "not for export".


It just won't play. It now appears that the certificates will import,
but into "other people" instead of "personal". Of course, if I export
those there will be no private key - hence the problem. Why they will
not correctly import (with the Private Key) into the Personal section is
the problem. The self-signed key I generated with Office Tools went into
the correct section and has its private key OK. I've done this over and
over again in Windows 7 and never had a hitch. It seems to be time to
give up. I only wanted to sign some exportable macros - I use GnuPG if
signing/encryption is required.

--
Tetbury, Gloucestershire, England

Chinese philosopher say: Man who walk round examining beauty of sky and
clouds tread in more dog-muck than most.

Bob Henson wrote:

It just won't play

If you view the certificate you've imported, does it say "you have a
private key matching this certificate"? If so, you should be able to
export them as a pair, if it doesn't are you sure you generated the csr
on the same computer?

On 22/10/2017 4:46 PM, Andy Burns wrote:
Bob Henson wrote:

It just won't play

If you view the certificate you've imported, does it say "you have a
private key matching this certificate"? If so, you should be able to
export them as a pair, if it doesn't are you sure you generated the csr
on the same computer?


No - that is missing. The private key is getting lost between CACert
generating it and me importing it. The self-generated key has its
private key, and the line of text you describe. As I've never ever had
any trouble with CACert's keys before, it think it has to be something
wrong with Windows 10. In the past I could import the keys straight into
the browser from their website - certainly with Internet Explorer 11
anyway. I then used to export the keys from Internet options, and import
into Thunderbird. Now I get an error message with Internet Explorer 11,
Edge and Chrome saying the browser was making giving the correct
certificate request. I suspect it's nothing to do with the browser/s but
Windows 10 that is passing the wrong data. Because of that I downloaded
the keys and tried to import them - which is when this sorry saga started.

--
Tetbury, Gloucestershire, England

Heaven is where the police are British, the mechanics German, the cooks
are French, the lovers Italian, and all is organized by the Swiss.
Hell is where the police are German, the mechanics are French, the cooks
are British, the lovers are Swiss, and it's all organized by the Italians!

Bob Henson wrote:

Andy Burns wrote:

If you view the certificate you've imported, does it say "you have a
private key matching this certificate"?

No - that is missing.

Which browser did you use to generate the cacert request?

On 22/10/2017 7:27 PM, Andy Burns wrote:
Bob Henson wrote:

Andy Burns wrote:

If you view the certificate you've imported, does it say "you have a
private key matching this certificate"?

No - that is missing.

Which browser did you use to generate the cacert request?


I tried all three - none would import directly. In the end, I used Edge
on the grounds that it was part of Windows 10 and most likely to
integrate well.

--
Tetbury, Gloucestershire, England

A preposition must never be used to end a sentence with.
And never start a sentence with a conjunction.

Bob Henson wrote:

Andy Burns wrote:

Which browser did you use to generate the cacert request?

I tried all three - none would import directly.

If the key didn't import, the certificate by itself (as you realise) is
no use.

If you've got access to another machine you could generate the key and
request the cert on that, then export the pair to a password protected
file on a memory stick, delete the original and import it on the machine
you need it ...

On 22/10/2017 10:59 PM, VanguardLH wrote:
Bob Henson wrote:

I've just got an X.509 certificate from CAcert and imported it into the
Windows 10 personal folder using Certificate Manager (certmgr.msc).
CAcert are listed in the Intermediate and Trusted Root Authorities.
However, neither Thunderbird nor Chrome can see the new certificate, and
Control Panel Internet options Content Certificates doesn't show
it at all. I've done this umpteen times over the years in Windows 7 with
no difficulty at all. Any ideas what my problem might be with Windows
10? Is it known to have problems with certification?

Mozilla does NOT use the global certificate store available in Windows
and used by EVERY other program to find the certificate. Instead
Firefox has its own internal (private) certificate store. You must
install the cert into Firefox (and in the OS for other apps). Since
Mozilla decided to use a private cert store for Firefox, I suspect they
did the same for Thunderbird.

I imagine this is where my problems lie - or part of them.

http://wiki.cacert.org/FAQ/BrowserCl...ozilla_Firefox

CACert is known to provide insecure certs. Well, they're free and you
get what you pay for. Because they are free to anyone providing
whatever identification the users wants, they also do not identify who
owns the cert. They're only used for encryption, not identification.
They present a self-signed cert. Anyone can do that. Anyone can claim
whomever they want to be when creating a self-signed cert.

They go as far as I need for my purposes. If I need anything more secure
(rare) I use GnuPG.


At one time, you could get free e-mail certs from Thawte. After Thawte
got swallowed up by Verisign, the free certs evaporated a year later.

Indeed, I used to have one. They even signed my old (now revoked) PGP
key. Sadly, no-one gives much away these days.

I
believe you can still get free e-mail certs from Comodo. However, free
certs only let you pass your public key to a recipient so they can send
you back an encrypted e-mail that only you can decrypt using your
private key. X.509 encryption using e-mail certs is by invite.

I might have a look at Comodo, the low level security is more or less
enough for my purpose. The reason I might find them useful is that even
having imported CACert's root keys there is still a major problem
getting an intact key from CACert, and I still have no idea how to deal
with that problem. It might just be that their certificates will import OK.


--
Tetbury, Gloucestershire, England

The Flat Earth Society has members all over the globe.

On 22/10/2017 10:59 PM, VanguardLH wrote:
Bob Henson wrote:

I've just got an X.509 certificate from CAcert and imported it into the
Windows 10 personal folder using Certificate Manager (certmgr.msc).
CAcert are listed in the Intermediate and Trusted Root Authorities.
However, neither Thunderbird nor Chrome can see the new certificate, and
Control Panel Internet options Content Certificates doesn't show
it at all. I've done this umpteen times over the years in Windows 7 with
no difficulty at all. Any ideas what my problem might be with Windows
10? Is it known to have problems with certification?

Mozilla does NOT use the global certificate store available in Windows
and used by EVERY other program to find the certificate. Instead
Firefox has its own internal (private) certificate store. You must
install the cert into Firefox (and in the OS for other apps). Since
Mozilla decided to use a private cert store for Firefox, I suspect they
did the same for Thunderbird.

http://wiki.cacert.org/FAQ/BrowserCl...ozilla_Firefox

CACert is known to provide insecure certs. Well, they're free and you
get what you pay for. Because they are free to anyone providing
whatever identification the users wants, they also do not identify who
owns the cert. They're only used for encryption, not identification.
They present a self-signed cert. Anyone can do that. Anyone can claim
whomever they want to be when creating a self-signed cert.

At one time, you could get free e-mail certs from Thawte. After Thawte
got swallowed up by Verisign, the free certs evaporated a year later. I
believe you can still get free e-mail certs from Comodo.

OK, that was the clue that solved the riddle. It would appear that all
the browsers and/or the system have changed since I last sought a
certificate. When I got to the certificate request page using Chrome
there was a warning saying:-

"You need to ensure that your browser has given this website permission
to generate a key for you:
Click the padlock in the address bar.
Click Site settings at the bottom of the menu.
Scroll down to Key Generation and enable Allow all sites to use key
generation in forms.
If your browser prompts you to do so, click the "Reload" button to
reload this webpage."

This is new to me. I tried, but there is no such heading as "Key
Generation" in Chrome - maybe it's hidden somewhere else? Anyway, I
switched to Internet Explorer 11 and the warning was no longer shown -
the page is obviously browser type aware. Instead an Internet Explorer
pop up asked me to give permission for the site to generate the
certificate - or words to that effect. I told it yes, and a certificate
downloaded. This imported correctly using Control Panel Internet
Options. I then exported it as a .pfx file and that imported perfectly
into Thunderbird. It then showed up in both Chrome and Internet Explorer
11, as they obviously use the standard Windows 10 certificate store.
There's no way I could find to check with Edge browser - (there may be
but I couldn't see it- but I won't be using that anyway).


--
Tetbury, Gloucestershire, England

The penalty for bigamy is two Mothers-in-Law.

Bob Henson wrote:

On 22/10/2017 10:59 PM, VanguardLH wrote:
Bob Henson wrote:

I've just got an X.509 certificate from CAcert and imported it into the
Windows 10 personal folder using Certificate Manager (certmgr.msc).
CAcert are listed in the Intermediate and Trusted Root Authorities.
However, neither Thunderbird nor Chrome can see the new certificate, and
Control Panel Internet options Content Certificates doesn't show
it at all. I've done this umpteen times over the years in Windows 7 with
no difficulty at all. Any ideas what my problem might be with Windows
10? Is it known to have problems with certification?

Mozilla does NOT use the global certificate store available in Windows
and used by EVERY other program to find the certificate. Instead
Firefox has its own internal (private) certificate store. You must
install the cert into Firefox (and in the OS for other apps). Since
Mozilla decided to use a private cert store for Firefox, I suspect they
did the same for Thunderbird.

http://wiki.cacert.org/FAQ/BrowserCl...ozilla_Firefox

CACert is known to provide insecure certs. Well, they're free and you
get what you pay for. Because they are free to anyone providing
whatever identification the users wants, they also do not identify who
owns the cert. They're only used for encryption, not identification.
They present a self-signed cert. Anyone can do that. Anyone can claim
whomever they want to be when creating a self-signed cert.

At one time, you could get free e-mail certs from Thawte. After Thawte
got swallowed up by Verisign, the free certs evaporated a year later. I
believe you can still get free e-mail certs from Comodo.

OK, that was the clue that solved the riddle. It would appear that all
the browsers and/or the system have changed since I last sought a
certificate. When I got to the certificate request page using Chrome
there was a warning saying:-

"You need to ensure that your browser has given this website permission
to generate a key for you:
Click the padlock in the address bar.
Click Site settings at the bottom of the menu.
Scroll down to Key Generation and enable Allow all sites to use key
generation in forms.
If your browser prompts you to do so, click the "Reload" button to
reload this webpage."

This is new to me. I tried, but there is no such heading as "Key
Generation" in Chrome - maybe it's hidden somewhere else? Anyway, I
switched to Internet Explorer 11 and the warning was no longer shown -
the page is obviously browser type aware. Instead an Internet Explorer
pop up asked me to give permission for the site to generate the
certificate - or words to that effect. I told it yes, and a certificate
downloaded. This imported correctly using Control Panel Internet
Options. I then exported it as a .pfx file and that imported perfectly
into Thunderbird. It then showed up in both Chrome and Internet Explorer
11, as they obviously use the standard Windows 10 certificate store.
There's no way I could find to check with Edge browser - (there may be
but I couldn't see it- but I won't be using that anyway).

It's been years since I got a free e-mail certificate (from Comodo).
Back then, whatever web browser you used at the site to get it to dole
out a certificate was the same web browser you had to use to install the
certificate. It was a requirement of the cert authority doling out the
certificate.

On 23/10/2017 10:27 AM, VanguardLH wrote:
It's been years since I got a free e-mail certificate (from Comodo).
Back then, whatever web browser you used at the site to get it to dole
out a certificate was the same web browser you had to use to install the
certificate. It was a requirement of the cert authority doling out the
certificate.

It ought to still be so. I read since that from version 49 the ability
is disabled in Chrome and anything chrome based like Opera and has never
been in Edge. Although Firefox has its own store, apparently it still
can be used to enable the key generation - I haven't tried. Basically,
if anyone wants a key it's Internet Explorer and maybe a couple of
obscure others or nothing. If Internet Explorer 11 is the last one it is
to be hoped it will continue to function for some time.

--
Tetbury, Gloucestershire, England

Nobody teaches volcanoes to erupt, tsunamis to devastate, hurricanes to
swirl around, or a man how to choose a wife. Natural disasters just happen.