If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Certificate Import problems
I've just got an X.509 certificate from CAcert and imported it into the
Windows 10 personal folder using Certificate Manager (certmgr.msc). CAcert are listed in the Intermediate and Trusted Root Authorities. However, neither Thunderbird nor Chrome can see the new certificate, and Control Panel Internet options Content Certificates doesn't show it at all. I've done this umpteen times over the years in Windows 7 with no difficulty at all. Any ideas what my problem might be with Windows 10? Is it known to have problems with certification? -- Tetbury, Gloucestershire, England Just when I was getting used to yesterday, along came today. |
Ads |
#2
|
|||
|
|||
Certificate Import problems
Bob Henson wrote:
neither Thunderbird nor Chrome can see the new certificate Neither use the windows certificate store, you'll need to import it their own stores TB: Tools/Options/Advanced/Certificates/Manage Chrome: Settings/Advanced/ManageCertificates/Import |
#3
|
|||
|
|||
Certificate Import problems
On 22/10/2017 1:05 PM, Andy Burns wrote:
Bob Henson wrote: neither Thunderbird nor Chrome can see the new certificate Neither use the windows certificate store, you'll need to import it their own stores TB: Tools/Options/Advanced/Certificates/Manage Chrome: Settings/Advanced/ManageCertificates/Import They won't import. There's an error message from Thunderbird saying that the key that was present when the certificate was generated isn't present. As it's part of the certificate, it can't be - Catch 22. I've read a whole load of very technical stuff about the problem (Install error 26352 is not unusual amongst developers, apparently.) I've cleared all the entries for the CA and reinstalled, but it still won't play ball. Thanks for replying anyway - I'll hang on to see if anyone has any other ideas - but as it is not essential, I may have to write this off as yet another thing that I had in Windows 7 that doesn't work in Windows 10. Oh Boy, there are a lot of them! -- Tetbury, Gloucestershire, England The penalty for bigamy is two Mothers-in-Law. |
#4
|
|||
|
|||
Certificate Import problems
Bob Henson wrote:
They won't import. There's an error message from Thunderbird saying that the key that was present when the certificate was generated isn't present. You can export them from the windows certificate store (use certmgr.msc) in pkcs12/pfx format which allows the key/cert pair to be exported as one, then import that. Better hope the key hasn't been marked as "not for export". |
#5
|
|||
|
|||
Certificate Import problems
On 22/10/2017 4:20 PM, Andy Burns wrote:
Bob Henson wrote: They won't import. There's an error message from Thunderbird saying that the key that was present when the certificate was generated isn't present. You can export them from the windows certificate store (use certmgr.msc) in pkcs12/pfx format which allows the key/cert pair to be exported as one, then import that. Better hope the key hasn't been marked as "not for export". It just won't play. It now appears that the certificates will import, but into "other people" instead of "personal". Of course, if I export those there will be no private key - hence the problem. Why they will not correctly import (with the Private Key) into the Personal section is the problem. The self-signed key I generated with Office Tools went into the correct section and has its private key OK. I've done this over and over again in Windows 7 and never had a hitch. It seems to be time to give up. I only wanted to sign some exportable macros - I use GnuPG if signing/encryption is required. -- Tetbury, Gloucestershire, England Chinese philosopher say: Man who walk round examining beauty of sky and clouds tread in more dog-muck than most. |
#6
|
|||
|
|||
Certificate Import problems
Bob Henson wrote:
It just won't play If you view the certificate you've imported, does it say "you have a private key matching this certificate"? If so, you should be able to export them as a pair, if it doesn't are you sure you generated the csr on the same computer? |
#7
|
|||
|
|||
Certificate Import problems
On 22/10/2017 4:46 PM, Andy Burns wrote:
Bob Henson wrote: It just won't play If you view the certificate you've imported, does it say "you have a private key matching this certificate"? If so, you should be able to export them as a pair, if it doesn't are you sure you generated the csr on the same computer? No - that is missing. The private key is getting lost between CACert generating it and me importing it. The self-generated key has its private key, and the line of text you describe. As I've never ever had any trouble with CACert's keys before, it think it has to be something wrong with Windows 10. In the past I could import the keys straight into the browser from their website - certainly with Internet Explorer 11 anyway. I then used to export the keys from Internet options, and import into Thunderbird. Now I get an error message with Internet Explorer 11, Edge and Chrome saying the browser was making giving the correct certificate request. I suspect it's nothing to do with the browser/s but Windows 10 that is passing the wrong data. Because of that I downloaded the keys and tried to import them - which is when this sorry saga started. -- Tetbury, Gloucestershire, England Heaven is where the police are British, the mechanics German, the cooks are French, the lovers Italian, and all is organized by the Swiss. Hell is where the police are German, the mechanics are French, the cooks are British, the lovers are Swiss, and it's all organized by the Italians! |
#8
|
|||
|
|||
Certificate Import problems
Bob Henson wrote:
Andy Burns wrote: If you view the certificate you've imported, does it say "you have a private key matching this certificate"? No - that is missing. Which browser did you use to generate the cacert request? |
#9
|
|||
|
|||
Certificate Import problems
On 22/10/2017 7:27 PM, Andy Burns wrote:
Bob Henson wrote: Andy Burns wrote: If you view the certificate you've imported, does it say "you have a private key matching this certificate"? No - that is missing. Which browser did you use to generate the cacert request? I tried all three - none would import directly. In the end, I used Edge on the grounds that it was part of Windows 10 and most likely to integrate well. -- Tetbury, Gloucestershire, England A preposition must never be used to end a sentence with. And never start a sentence with a conjunction. |
#10
|
|||
|
|||
Certificate Import problems
Bob Henson wrote:
Andy Burns wrote: Which browser did you use to generate the cacert request? I tried all three - none would import directly. If the key didn't import, the certificate by itself (as you realise) is no use. If you've got access to another machine you could generate the key and request the cert on that, then export the pair to a password protected file on a memory stick, delete the original and import it on the machine you need it ... |
#11
|
|||
|
|||
Certificate Import problems
On 22/10/2017 10:59 PM, VanguardLH wrote:
Bob Henson wrote: I've just got an X.509 certificate from CAcert and imported it into the Windows 10 personal folder using Certificate Manager (certmgr.msc). CAcert are listed in the Intermediate and Trusted Root Authorities. However, neither Thunderbird nor Chrome can see the new certificate, and Control Panel Internet options Content Certificates doesn't show it at all. I've done this umpteen times over the years in Windows 7 with no difficulty at all. Any ideas what my problem might be with Windows 10? Is it known to have problems with certification? Mozilla does NOT use the global certificate store available in Windows and used by EVERY other program to find the certificate. Instead Firefox has its own internal (private) certificate store. You must install the cert into Firefox (and in the OS for other apps). Since Mozilla decided to use a private cert store for Firefox, I suspect they did the same for Thunderbird. I imagine this is where my problems lie - or part of them. http://wiki.cacert.org/FAQ/BrowserCl...ozilla_Firefox CACert is known to provide insecure certs. Well, they're free and you get what you pay for. Because they are free to anyone providing whatever identification the users wants, they also do not identify who owns the cert. They're only used for encryption, not identification. They present a self-signed cert. Anyone can do that. Anyone can claim whomever they want to be when creating a self-signed cert. They go as far as I need for my purposes. If I need anything more secure (rare) I use GnuPG. At one time, you could get free e-mail certs from Thawte. After Thawte got swallowed up by Verisign, the free certs evaporated a year later. Indeed, I used to have one. They even signed my old (now revoked) PGP key. Sadly, no-one gives much away these days. I believe you can still get free e-mail certs from Comodo. However, free certs only let you pass your public key to a recipient so they can send you back an encrypted e-mail that only you can decrypt using your private key. X.509 encryption using e-mail certs is by invite. I might have a look at Comodo, the low level security is more or less enough for my purpose. The reason I might find them useful is that even having imported CACert's root keys there is still a major problem getting an intact key from CACert, and I still have no idea how to deal with that problem. It might just be that their certificates will import OK. -- Tetbury, Gloucestershire, England The Flat Earth Society has members all over the globe. |
#12
|
|||
|
|||
Certificate Import problems
On 22/10/2017 10:59 PM, VanguardLH wrote:
Bob Henson wrote: I've just got an X.509 certificate from CAcert and imported it into the Windows 10 personal folder using Certificate Manager (certmgr.msc). CAcert are listed in the Intermediate and Trusted Root Authorities. However, neither Thunderbird nor Chrome can see the new certificate, and Control Panel Internet options Content Certificates doesn't show it at all. I've done this umpteen times over the years in Windows 7 with no difficulty at all. Any ideas what my problem might be with Windows 10? Is it known to have problems with certification? Mozilla does NOT use the global certificate store available in Windows and used by EVERY other program to find the certificate. Instead Firefox has its own internal (private) certificate store. You must install the cert into Firefox (and in the OS for other apps). Since Mozilla decided to use a private cert store for Firefox, I suspect they did the same for Thunderbird. http://wiki.cacert.org/FAQ/BrowserCl...ozilla_Firefox CACert is known to provide insecure certs. Well, they're free and you get what you pay for. Because they are free to anyone providing whatever identification the users wants, they also do not identify who owns the cert. They're only used for encryption, not identification. They present a self-signed cert. Anyone can do that. Anyone can claim whomever they want to be when creating a self-signed cert. At one time, you could get free e-mail certs from Thawte. After Thawte got swallowed up by Verisign, the free certs evaporated a year later. I believe you can still get free e-mail certs from Comodo. OK, that was the clue that solved the riddle. It would appear that all the browsers and/or the system have changed since I last sought a certificate. When I got to the certificate request page using Chrome there was a warning saying:- "You need to ensure that your browser has given this website permission to generate a key for you: Click the padlock in the address bar. Click Site settings at the bottom of the menu. Scroll down to Key Generation and enable Allow all sites to use key generation in forms. If your browser prompts you to do so, click the "Reload" button to reload this webpage." This is new to me. I tried, but there is no such heading as "Key Generation" in Chrome - maybe it's hidden somewhere else? Anyway, I switched to Internet Explorer 11 and the warning was no longer shown - the page is obviously browser type aware. Instead an Internet Explorer pop up asked me to give permission for the site to generate the certificate - or words to that effect. I told it yes, and a certificate downloaded. This imported correctly using Control Panel Internet Options. I then exported it as a .pfx file and that imported perfectly into Thunderbird. It then showed up in both Chrome and Internet Explorer 11, as they obviously use the standard Windows 10 certificate store. There's no way I could find to check with Edge browser - (there may be but I couldn't see it- but I won't be using that anyway). -- Tetbury, Gloucestershire, England The penalty for bigamy is two Mothers-in-Law. |
#13
|
|||
|
|||
Certificate Import problems
Bob Henson wrote:
On 22/10/2017 10:59 PM, VanguardLH wrote: Bob Henson wrote: I've just got an X.509 certificate from CAcert and imported it into the Windows 10 personal folder using Certificate Manager (certmgr.msc). CAcert are listed in the Intermediate and Trusted Root Authorities. However, neither Thunderbird nor Chrome can see the new certificate, and Control Panel Internet options Content Certificates doesn't show it at all. I've done this umpteen times over the years in Windows 7 with no difficulty at all. Any ideas what my problem might be with Windows 10? Is it known to have problems with certification? Mozilla does NOT use the global certificate store available in Windows and used by EVERY other program to find the certificate. Instead Firefox has its own internal (private) certificate store. You must install the cert into Firefox (and in the OS for other apps). Since Mozilla decided to use a private cert store for Firefox, I suspect they did the same for Thunderbird. http://wiki.cacert.org/FAQ/BrowserCl...ozilla_Firefox CACert is known to provide insecure certs. Well, they're free and you get what you pay for. Because they are free to anyone providing whatever identification the users wants, they also do not identify who owns the cert. They're only used for encryption, not identification. They present a self-signed cert. Anyone can do that. Anyone can claim whomever they want to be when creating a self-signed cert. At one time, you could get free e-mail certs from Thawte. After Thawte got swallowed up by Verisign, the free certs evaporated a year later. I believe you can still get free e-mail certs from Comodo. OK, that was the clue that solved the riddle. It would appear that all the browsers and/or the system have changed since I last sought a certificate. When I got to the certificate request page using Chrome there was a warning saying:- "You need to ensure that your browser has given this website permission to generate a key for you: Click the padlock in the address bar. Click Site settings at the bottom of the menu. Scroll down to Key Generation and enable Allow all sites to use key generation in forms. If your browser prompts you to do so, click the "Reload" button to reload this webpage." This is new to me. I tried, but there is no such heading as "Key Generation" in Chrome - maybe it's hidden somewhere else? Anyway, I switched to Internet Explorer 11 and the warning was no longer shown - the page is obviously browser type aware. Instead an Internet Explorer pop up asked me to give permission for the site to generate the certificate - or words to that effect. I told it yes, and a certificate downloaded. This imported correctly using Control Panel Internet Options. I then exported it as a .pfx file and that imported perfectly into Thunderbird. It then showed up in both Chrome and Internet Explorer 11, as they obviously use the standard Windows 10 certificate store. There's no way I could find to check with Edge browser - (there may be but I couldn't see it- but I won't be using that anyway). It's been years since I got a free e-mail certificate (from Comodo). Back then, whatever web browser you used at the site to get it to dole out a certificate was the same web browser you had to use to install the certificate. It was a requirement of the cert authority doling out the certificate. |
#14
|
|||
|
|||
Certificate Import problems
On 23/10/2017 10:27 AM, VanguardLH wrote:
It's been years since I got a free e-mail certificate (from Comodo). Back then, whatever web browser you used at the site to get it to dole out a certificate was the same web browser you had to use to install the certificate. It was a requirement of the cert authority doling out the certificate. It ought to still be so. I read since that from version 49 the ability is disabled in Chrome and anything chrome based like Opera and has never been in Edge. Although Firefox has its own store, apparently it still can be used to enable the key generation - I haven't tried. Basically, if anyone wants a key it's Internet Explorer and maybe a couple of obscure others or nothing. If Internet Explorer 11 is the last one it is to be hoped it will continue to function for some time. -- Tetbury, Gloucestershire, England Nobody teaches volcanoes to erupt, tsunamis to devastate, hurricanes to swirl around, or a man how to choose a wife. Natural disasters just happen. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|