Hello All
I have a question about the above, and want to understand what prevents the private key being exported (I have an idea but need clarification please).
Working with Windows OS
when a client requests a certificate by initially creating a CSR (using CertReq or several other methods) the Private/Public key pair is generated on the client and only the public key is presented in the CSR. When dealing with enterprise CA and therefore certificate templates there is an option on the template 'Allow Private Key to be Exported' now assuming you leave this unchecked and thereby disabled the client will not able to open the resulting certificate with the Microsoft MMC > certificates for example and export the private key (e.g. option greyed out).
My question is this, the private key is not in the certificate (although the two linked to one another once the cert is successfully imported into the X509 store). As far as I know the private key is either in a protected flat file or sometimes in a protected part of the registry.
A:) I assume there is an attribute or extension set on the certificate to state private key not exportable is that correct?
if so I assume this acts as a flag signal to utilities such as Microsoft MMC not to allow private key export when using this tool (e.g. reads this flag on the certificate itself and does now allow private key export) is that correct?
B:) Or is the attribute that indicates private key is not exportable set on the store (protected file, registry) holding the private key itself?
C:) some other way?
If A: above is correct and there is no export protection directly on the file/reg holding the private key (but rather an attribute on the certificate itself), what is to stop someone using other methods like scripting or non MS tools to locate and export the private key thereby circumventing the no export setting.
I would be most grateful if someone can clear this up for me.
Thanks All
Ernie