PDA

View Full Version : Importing Personal Certificates

Cheryl Fischer
PROBLEM: Cannot import digital certificates while logged
in as anyone other than ADMINISTRATOR - even if the user
has ADMINISTRATOR rights.

How can I get around this? I need to have my individual
users be able to import the certificates so they can send
and receive encrypted mail messages.

If I import the certificates for them as ADMINISTRATOR,
then when they log into the machine as themselves, the
certificates don't show up.

I have already copied the ADMINISTRATOR profile to ALL
USERS and shared the profile to EVERYONE.

Thanks in advance,
Cheryl
Steven L Umbach
I have never tried it the way you are doing it. One thing that may help is to copy
the .pfx file that contains the user's private key and certificate to their computer.
The .pfx file will need to be password protected. Then after they logon, have them
open the .pfx file which should import it into their user's store.

Otherwise if you are using an Enterprise CA for w2K, users can request a certificate
through the mmc certificate snapin for users by going to their personal folder, right
clicking and select request certificate. If it is not a Enterprise CA in an Active
Directory domain, they still can use Web Enrollment to request, retrieve, and install
certificates. The link below explains more on that. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp

"Cheryl Fischer" wrote in message
news:473901c47343$136c6350$a501280a@phx.gbl...
> PROBLEM: Cannot import digital certificates while logged
> in as anyone other than ADMINISTRATOR - even if the user
> has ADMINISTRATOR rights.
>
> How can I get around this? I need to have my individual
> users be able to import the certificates so they can send
> and receive encrypted mail messages.
>
> If I import the certificates for them as ADMINISTRATOR,
> then when they log into the machine as themselves, the
> certificates don't show up.
>
> I have already copied the ADMINISTRATOR profile to ALL
> USERS and shared the profile to EVERYONE.
>
> Thanks in advance,
> Cheryl


Cheryl Fischer
Thanks for your response.

Actually, my CA is on a Novell Netware 6 server and we use
EDirectory, not ActiveDirectory.

I have copied the .pfx file to the pc - it is exported via
Novell CertConsole. The problems are arising when trying
to import them on the Win2K machines. On the Win98
machines they slide right in, but not on the Win2K ones.

Is there any documentation that you know of pertaining to
importing digital certificates on Windows2K? I read the
post you sent the link to, however it requires the CA to
be on a Microsoft server and having ActiveDirectory
running.

Thanks again,
Cheryl
>-----Original Message-----
>I have never tried it the way you are doing it. One thing
that may help is to copy
>the .pfx file that contains the user's private key and
certificate to their computer.
>The .pfx file will need to be password protected. Then
after they logon, have them
>open the .pfx file which should import it into their
user's store.
>
>Otherwise if you are using an Enterprise CA for w2K,
users can request a certificate
>through the mmc certificate snapin for users by going to
their personal folder, right
>clicking and select request certificate. If it is not a
Enterprise CA in an Active
>Directory domain, they still can use Web Enrollment to
request, retrieve, and install
>certificates. The link below explains more on that. ---
Steve
>
>http://www.microsoft.com/windows2000/techinfo/planning/sec
urity/cawebsteps.asp
>
>"Cheryl Fischer"
wrote in message
>news:473901c47343$136c6350$a501280a@phx.gbl...
>> PROBLEM: Cannot import digital certificates while
logged
>> in as anyone other than ADMINISTRATOR - even if the user
>> has ADMINISTRATOR rights.
>>
>> How can I get around this? I need to have my individual
>> users be able to import the certificates so they can
send
>> and receive encrypted mail messages.
>>
>> If I import the certificates for them as ADMINISTRATOR,
>> then when they log into the machine as themselves, the
>> certificates don't show up.
>>
>> I have already copied the ADMINISTRATOR profile to ALL
>> USERS and shared the profile to EVERYONE.
>>
>> Thanks in advance,
>> Cheryl
>
>
>.
>
Paul Adare - MVP - Microsoft Virtual PC
In article <4ea501c473e1$09be0360$a401280a@phx.gbl>, in the
microsoft.public.win2000.security news group, Cheryl Fischer
says...

> Actually, my CA is on a Novell Netware 6 server and we use
> EDirectory, not ActiveDirectory.
>
> I have copied the .pfx file to the pc - it is exported via
> Novell CertConsole. The problems are arising when trying
> to import them on the Win2K machines.
>

You should really be asking this question in a Novell forum then.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.
Steven L Umbach
Hi Cheryl.

I was not aware you were using a Novell CA of which I have zero experience with. You
might want to post in a Novell newsgroup or try to search http://www.google.com web
and groups for " Novell certificates Windows 2000". --- Steve

"Cheryl Fischer" wrote in message
news:4ea501c473e1$09be0360$a401280a@phx.gbl...
> Thanks for your response.
>
> Actually, my CA is on a Novell Netware 6 server and we use
> EDirectory, not ActiveDirectory.
>
> I have copied the .pfx file to the pc - it is exported via
> Novell CertConsole. The problems are arising when trying
> to import them on the Win2K machines. On the Win98
> machines they slide right in, but not on the Win2K ones.
>
> Is there any documentation that you know of pertaining to
> importing digital certificates on Windows2K? I read the
> post you sent the link to, however it requires the CA to
> be on a Microsoft server and having ActiveDirectory
> running.
>
> Thanks again,
> Cheryl
> >-----Original Message-----
> >I have never tried it the way you are doing it. One thing
> that may help is to copy
> >the .pfx file that contains the user's private key and
> certificate to their computer.
> >The .pfx file will need to be password protected. Then
> after they logon, have them
> >open the .pfx file which should import it into their
> user's store.
> >
> >Otherwise if you are using an Enterprise CA for w2K,
> users can request a certificate
> >through the mmc certificate snapin for users by going to
> their personal folder, right
> >clicking and select request certificate. If it is not a
> Enterprise CA in an Active
> >Directory domain, they still can use Web Enrollment to
> request, retrieve, and install
> >certificates. The link below explains more on that. ---
> Steve
> >
> >http://www.microsoft.com/windows2000/techinfo/planning/sec
> urity/cawebsteps.asp
> >
> >"Cheryl Fischer"
> wrote in message
> >news:473901c47343$136c6350$a501280a@phx.gbl...
> >> PROBLEM: Cannot import digital certificates while
> logged
> >> in as anyone other than ADMINISTRATOR - even if the user
> >> has ADMINISTRATOR rights.
> >>
> >> How can I get around this? I need to have my individual
> >> users be able to import the certificates so they can
> send
> >> and receive encrypted mail messages.
> >>
> >> If I import the certificates for them as ADMINISTRATOR,
> >> then when they log into the machine as themselves, the
> >> certificates don't show up.
> >>
> >> I have already copied the ADMINISTRATOR profile to ALL
> >> USERS and shared the profile to EVERYONE.
> >>
> >> Thanks in advance,
> >> Cheryl
> >
> >
> >.
> >


cheryl fischer
Thanks - I have posted in Novell also, however since the
certificates are being created successfully, and are
importable, I don't think it's the Novell stuff that's
failing. It appears as if it's the "wonderful" Windows
O/S that is causing the problems.

If I can import the certificate logged in as
administrator - then I would assume that the certificate
is valid. If I can import the certificate on Windows 98
and not on Windows 2K, then again, I'm thinking that it
points to the Win2k O/S, not the certificate.

I'll keep looking.

Cheryl
>-----Original Message-----
>In article <4ea501c473e1$09be0360$a401280a@phx.gbl>, in
the
>microsoft.public.win2000.security news group, Cheryl
Fischer
> says...
>
>> Actually, my CA is on a Novell Netware 6 server and we
use
>> EDirectory, not ActiveDirectory.
>>
>> I have copied the .pfx file to the pc - it is exported
via
>> Novell CertConsole. The problems are arising when
trying
>> to import them on the Win2K machines.
>>
>
>You should really be asking this question in a Novell
forum then.
>
>--
>Paul Adare
>This posting is provided "AS IS" with no warranties, and
confers no
>rights.
>.
>
Paul Adare - MVP - Microsoft Virtual PC
In article <53ab01c47415$81475f10$a301280a@phx.gbl>, in the
microsoft.public.win2000.security news group, cheryl fischer
says...

> If I can import the certificate logged in as
> administrator - then I would assume that the certificate
> is valid. If I can import the certificate on Windows 98
> and not on Windows 2K, then again, I'm thinking that it
> points to the Win2k O/S, not the certificate.
>

You might want to provide some more information here, such as patch
level of the Windows 2000 computers, and any error messages, event log
entries, etc. Kind of hard to troubleshoot with just "it doesn't work"
type posts.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.