What does the "Enable Certificate Privacy" option mean when exporting certificates?

With Windows Server 2016 and Windows 10, a new "Enable Certificate Privacy" option has been implemented for exporting private key certificates via the Microsoft Management Console (MMC).

When exporting private key certificates, the certificate is exported to a PKCS#12 (.PFX) file.

Functionality

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

In previous Windows versions, the entire contents of the PKCS#12 file were encrypted. Without the password it was not possible to view the file, not even to read meta information.

If the option is deactivated, only the private key in the PKCS#12 file is encrypted, all other contents are thus readable without password.

On Windows Server 2016 and Windows 10 versions at that time, the option was by default deactivated.

On Windows Server 2019 and current Windows 10 versions, it is back by default activates and thus maps the identical behavior compared to previous Windows versions.

Function test

For comparison, two PKCS#12 files with the different settings as each are examined with the following command line command:

certutil -dump {file}

Option enabled

If the "Enable Certificate Privacy" option is enabled, a password is absolutely required to view the file

Option not activated

If the "Enable Certificate Privacy" option not is enabled, the public information can be viewed even without a password.

Due to this change in the application behavior, such a PKCS#12 file does not ask for a password for the private part and accordingly no test of the private key is performed.

If you want to check the function of the private key, you have to enter the password in the command line:

certutil -p {password} -dump {file}

Related links:

External sources

One thought on “Was bedeutet die Option „Enable Certificate Privacy“ beim Zertifikatexport?”

Comments are closed.

en_USEnglish