Does deleting a certificate cause private key deletion?

[Ohaya]

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the future, so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[David Cross [MS]]

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

 

[Michel Gallant]

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the future, so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[Ohaya]

Michael and David,

I think that I may've figured out what I did. If you could confirm this,
I'd appreciate it!

Basically, I think that in the process of my testing, I went ahead and used
IIS to create a new certificate request. I think that in doing this, it
deleted the private key for the certificate that I'd gotten from my CA
(which was also the result of an earlier IIS certificate request).

Does this make sense?

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the future, so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[David Cross [MS]]

I don't that is what happened. but if you delete the cert and re-import
agai, it *may* get re-asscoiated with the original private key which was not
deleted.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Michael and David,

I think that I may've figured out what I did. If you could confirm this,
I'd appreciate it!

Basically, I think that in the process of my testing, I went ahead and used
IIS to create a new certificate request. I think that in doing this, it
deleted the private key for the certificate that I'd gotten from my CA
(which was also the result of an earlier IIS certificate request).

Does this make sense?

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the

future,

so

 

[Ohaya]

David,

Thanks.

In any event, I went through a new certificate request cycle, and got a
new cert from our CA, and it's working now.

BTW, have you, or anyone else from MS who monitors these security NGs
taken a look at the thread that I've posted re. a possible bug with the
way that either IIS or CryptoAPI handles "Trusted" CAs? No one is
responding to that, and so I've sent email to (e-mail address removed) (not
sure if that is still working), and posted to the Security webpage on
MS.

I don't that is what happened. but if you delete the cert and re-import
agai, it *may* get re-asscoiated with the original private key which was not
deleted.

--

David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Michael and David,

I think that I may've figured out what I did. If you could confirm this,
I'd appreciate it!

Basically, I think that in the process of my testing, I went ahead and used
IIS to create a new certificate request. I think that in doing this, it
deleted the private key for the certificate that I'd gotten from my CA
(which was also the result of an earlier IIS certificate request).

Does this make sense?

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the

future,

so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[Ohaya]

Michel,

BTW, when I use IE to go to the linke for your KeyContainerTool, I am
getting an error:

Line 85: Object doesn't support this property or method:
'document.aplets(...).getAllCUContainers'

Any idea why, and how to fix this?

Thanks!

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the future, so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[Michel Gallant]

What OS and what version of IE are you using?
That method uses a scripted method into a signed Java applet, and
requires you have the Microsoft JVM.
Do detect which JVM your browser is currently using, what does
this page indicate:
http://pages.istar.ca/~neutron/detectjvm

Thanks,
- Mitch

Michel,

BTW, when I use IE to go to the linke for your KeyContainerTool, I am
getting an error:

Line 85: Object doesn't support this property or method:
'document.aplets(...).getAllCUContainers'

Any idea why, and how to fix this?

Thanks!

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the future, so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[Ohaya]

Michel,

It says: Version: 1.4.2, JVM Version: Sun Microsystems Inc.

Machine is Win2K SP4, IE 6.0.

Jim

What OS and what version of IE are you using?
That method uses a scripted method into a signed Java applet, and
requires you have the Microsoft JVM.
Do detect which JVM your browser is currently using, what does
this page indicate:
http://pages.istar.ca/~neutron/detectjvm

Thanks,
- Mitch

Michel,

BTW, when I use IE to go to the linke for your KeyContainerTool, I am
getting an error:

Line 85: Object doesn't support this property or method:
'document.aplets(...).getAllCUContainers'

Any idea why, and how to fix this?

Thanks!

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the future, so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[Michel Gallant]

OK, that's the problem. Your IE is configured to use Sun's Java Virtual Machine.
With W2k, you should already have the Microsoft JVM there. (Note that many
XP boxes will not have MS JVM by default!, and certainly not W2003 server+)

Here is a tool which should allow you to configure (toggle) between Sun or
Microsoft JVM:
http://pages.istar.ca/~neutron/SelectIEJVM/

Alternatively, if you don't feel comfortable running my hta utility,
in IE6, you can change the same setting via:
Tools | Internet Options | Advanced
and uncheck the box under "Java (Sun)" hive called:
"Use Java 2 v1.4.2 for ....".
Then restart IE and the KeyContainerTool should work properly.

Cheers,
- Mitch

Michel,

It says: Version: 1.4.2, JVM Version: Sun Microsystems Inc.

Machine is Win2K SP4, IE 6.0.

Jim

What OS and what version of IE are you using?
That method uses a scripted method into a signed Java applet, and
requires you have the Microsoft JVM.
Do detect which JVM your browser is currently using, what does
this page indicate:
http://pages.istar.ca/~neutron/detectjvm

Thanks,
- Mitch

Michel,

BTW, when I use IE to go to the linke for your KeyContainerTool, I am
getting an error:

Line 85: Object doesn't support this property or method:
'document.aplets(...).getAllCUContainers'

Any idea why, and how to fix this?

Thanks!




Michel Gallant wrote:

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the future, so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[Ohaya]

Michel,

Did it both ways, and still getting the exact same error .

FYI, here's what Java console is showing:

java.lang.ClassFormatError: KeyContainerTool (Bad magic number)

at java.lang.ClassLoader.defineClass0(Native Method)

at java.lang.ClassLoader.defineClass(Unknown Source)

at java.security.SecureClassLoader.defineClass(Unknown Source)

at sun.applet.AppletClassLoader.findClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.applet.AppletClassLoader.loadClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.applet.AppletClassLoader.loadCode(Unknown Source)

at sun.applet.AppletPanel.createApplet(Unknown Source)

at sun.plugin.AppletViewer.createApplet(Unknown Source)

at sun.applet.AppletPanel.runLoader(Unknown Source)

at sun.applet.AppletPanel.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)


Any idea what's going on????

OK, that's the problem. Your IE is configured to use Sun's Java Virtual Machine.
With W2k, you should already have the Microsoft JVM there. (Note that many
XP boxes will not have MS JVM by default!, and certainly not W2003 server+)

Here is a tool which should allow you to configure (toggle) between Sun or
Microsoft JVM:
http://pages.istar.ca/~neutron/SelectIEJVM/

Alternatively, if you don't feel comfortable running my hta utility,
in IE6, you can change the same setting via:
Tools | Internet Options | Advanced
and uncheck the box under "Java (Sun)" hive called:
"Use Java 2 v1.4.2 for ....".
Then restart IE and the KeyContainerTool should work properly.

Cheers,
- Mitch

Michel,

It says: Version: 1.4.2, JVM Version: Sun Microsystems Inc.

Machine is Win2K SP4, IE 6.0.

Jim

What OS and what version of IE are you using?
That method uses a scripted method into a signed Java applet, and
requires you have the Microsoft JVM.
Do detect which JVM your browser is currently using, what does
this page indicate:
http://pages.istar.ca/~neutron/detectjvm

Thanks,
- Mitch

Michel,

BTW, when I use IE to go to the linke for your KeyContainerTool, I am
getting an error:

Line 85: Object doesn't support this property or method:
'document.aplets(...).getAllCUContainers'

Any idea why, and how to fix this?

Thanks!




Michel Gallant wrote:

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the future, so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[Michel Gallant]

After toggling the JVM setting, does the detectJVM page show
the MS JVM is active?
Do you get a security dialog when the KeyContainerTool page loads?

FYI, my system is W2k sp4 fully patched; IE6
SelectIEJVM shows: MS JVM Version: 5.0.3810.0

- Mitch

Michel,

Did it both ways, and still getting the exact same error .

FYI, here's what Java console is showing:

java.lang.ClassFormatError: KeyContainerTool (Bad magic number)

at java.lang.ClassLoader.defineClass0(Native Method)

at java.lang.ClassLoader.defineClass(Unknown Source)

at java.security.SecureClassLoader.defineClass(Unknown Source)

at sun.applet.AppletClassLoader.findClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.applet.AppletClassLoader.loadClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.applet.AppletClassLoader.loadCode(Unknown Source)

at sun.applet.AppletPanel.createApplet(Unknown Source)

at sun.plugin.AppletViewer.createApplet(Unknown Source)

at sun.applet.AppletPanel.runLoader(Unknown Source)

at sun.applet.AppletPanel.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)


Any idea what's going on????

OK, that's the problem. Your IE is configured to use Sun's Java Virtual Machine.
With W2k, you should already have the Microsoft JVM there. (Note that many
XP boxes will not have MS JVM by default!, and certainly not W2003 server+)

Here is a tool which should allow you to configure (toggle) between Sun or
Microsoft JVM:
http://pages.istar.ca/~neutron/SelectIEJVM/

Alternatively, if you don't feel comfortable running my hta utility,
in IE6, you can change the same setting via:
Tools | Internet Options | Advanced
and uncheck the box under "Java (Sun)" hive called:
"Use Java 2 v1.4.2 for ....".
Then restart IE and the KeyContainerTool should work properly.

Cheers,
- Mitch

Michel,

It says: Version: 1.4.2, JVM Version: Sun Microsystems Inc.

Machine is Win2K SP4, IE 6.0.

Jim




Michel Gallant wrote:

What OS and what version of IE are you using?
That method uses a scripted method into a signed Java applet, and
requires you have the Microsoft JVM.
Do detect which JVM your browser is currently using, what does
this page indicate:
http://pages.istar.ca/~neutron/detectjvm

Thanks,
- Mitch

Michel,

BTW, when I use IE to go to the linke for your KeyContainerTool, I am
getting an error:

Line 85: Object doesn't support this property or method:
'document.aplets(...).getAllCUContainers'

Any idea why, and how to fix this?

Thanks!




Michel Gallant wrote:

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the future, so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[Ohaya]

Michel,

Yes, it shows the same version MS JVM as yours (5.0.3810.0).

No, I didn't (I don't think) get a security dialog when the page loads.

I think that I'm updated at least through earlier today .

After toggling the JVM setting, does the detectJVM page show
the MS JVM is active?
Do you get a security dialog when the KeyContainerTool page loads?

FYI, my system is W2k sp4 fully patched; IE6
SelectIEJVM shows: MS JVM Version: 5.0.3810.0

- Mitch

Michel,

Did it both ways, and still getting the exact same error .

FYI, here's what Java console is showing:

java.lang.ClassFormatError: KeyContainerTool (Bad magic number)

at java.lang.ClassLoader.defineClass0(Native Method)

at java.lang.ClassLoader.defineClass(Unknown Source)

at java.security.SecureClassLoader.defineClass(Unknown Source)

at sun.applet.AppletClassLoader.findClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.applet.AppletClassLoader.loadClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.applet.AppletClassLoader.loadCode(Unknown Source)

at sun.applet.AppletPanel.createApplet(Unknown Source)

at sun.plugin.AppletViewer.createApplet(Unknown Source)

at sun.applet.AppletPanel.runLoader(Unknown Source)

at sun.applet.AppletPanel.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)


Any idea what's going on????

OK, that's the problem. Your IE is configured to use Sun's Java Virtual Machine.
With W2k, you should already have the Microsoft JVM there. (Note that many
XP boxes will not have MS JVM by default!, and certainly not W2003 server+)

Here is a tool which should allow you to configure (toggle) between Sun or
Microsoft JVM:
http://pages.istar.ca/~neutron/SelectIEJVM/

Alternatively, if you don't feel comfortable running my hta utility,
in IE6, you can change the same setting via:
Tools | Internet Options | Advanced
and uncheck the box under "Java (Sun)" hive called:
"Use Java 2 v1.4.2 for ....".
Then restart IE and the KeyContainerTool should work properly.

Cheers,
- Mitch

Michel,

It says: Version: 1.4.2, JVM Version: Sun Microsystems Inc.

Machine is Win2K SP4, IE 6.0.

Jim




Michel Gallant wrote:

What OS and what version of IE are you using?
That method uses a scripted method into a signed Java applet, and
requires you have the Microsoft JVM.
Do detect which JVM your browser is currently using, what does
this page indicate:
http://pages.istar.ca/~neutron/detectjvm

Thanks,
- Mitch

Michel,

BTW, when I use IE to go to the linke for your KeyContainerTool, I am
getting an error:

Line 85: Object doesn't support this property or method:
'document.aplets(...).getAllCUContainers'

Any idea why, and how to fix this?

Thanks!




Michel Gallant wrote:

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the future, so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[Ohaya]

Hi Michel,

Despite the fact that I've run your JVM setter multiple times, and also
set it in IE itself, I noticed that when I use the "dump system
properties" from Java console (which is still popping up, BTW), it shows
the following lines:

java.vendor = Sun Microsystems Inc.
java.vendor.applet = true
java.vendor.url = http://java.sun.com/
java.vendor.url.applet = true
java.vendor.url.bug = http://java.sun.com/cgi-bin/bugreport.cgi
java.version = 1.4.2
java.version.applet = true
java.vm.info = mixed mode
java.vm.name = Java HotSpot(TM) Client VM
java.vm.specification.name = Java Virtual Machine Specification
java.vm.specification.vendor = Sun Microsystems Inc.
java.vm.specification.version = 1.0
java.vm.vendor = Sun Microsystems Inc.
java.vm.version = 1.4.2-b28

BTW, in the code on your page, in "Sub Initialize", you call
GetAllCUContainers, but there is not GetAllCUContainers. There is a
GetAllContainers, but no GetAllCUContainers.

Michel,

Yes, it shows the same version MS JVM as yours (5.0.3810.0).

No, I didn't (I don't think) get a security dialog when the page loads.

I think that I'm updated at least through earlier today .

After toggling the JVM setting, does the detectJVM page show
the MS JVM is active?
Do you get a security dialog when the KeyContainerTool page loads?

FYI, my system is W2k sp4 fully patched; IE6
SelectIEJVM shows: MS JVM Version: 5.0.3810.0

- Mitch

Michel,

Did it both ways, and still getting the exact same error .

FYI, here's what Java console is showing:

java.lang.ClassFormatError: KeyContainerTool (Bad magic number)

at java.lang.ClassLoader.defineClass0(Native Method)

at java.lang.ClassLoader.defineClass(Unknown Source)

at java.security.SecureClassLoader.defineClass(Unknown Source)

at sun.applet.AppletClassLoader.findClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.applet.AppletClassLoader.loadClass(Unknown Source)

at java.lang.ClassLoader.loadClass(Unknown Source)

at sun.applet.AppletClassLoader.loadCode(Unknown Source)

at sun.applet.AppletPanel.createApplet(Unknown Source)

at sun.plugin.AppletViewer.createApplet(Unknown Source)

at sun.applet.AppletPanel.runLoader(Unknown Source)

at sun.applet.AppletPanel.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)


Any idea what's going on????




Michel Gallant wrote:

OK, that's the problem. Your IE is configured to use Sun's Java Virtual Machine.
With W2k, you should already have the Microsoft JVM there. (Note that many
XP boxes will not have MS JVM by default!, and certainly not W2003 server+)

Here is a tool which should allow you to configure (toggle) between Sun or
Microsoft JVM:
http://pages.istar.ca/~neutron/SelectIEJVM/

Alternatively, if you don't feel comfortable running my hta utility,
in IE6, you can change the same setting via:
Tools | Internet Options | Advanced
and uncheck the box under "Java (Sun)" hive called:
"Use Java 2 v1.4.2 for ....".
Then restart IE and the KeyContainerTool should work properly.

Cheers,
- Mitch

Michel,

It says: Version: 1.4.2, JVM Version: Sun Microsystems Inc.

Machine is Win2K SP4, IE 6.0.

Jim




Michel Gallant wrote:

What OS and what version of IE are you using?
That method uses a scripted method into a signed Java applet, and
requires you have the Microsoft JVM.
Do detect which JVM your browser is currently using, what does
this page indicate:
http://pages.istar.ca/~neutron/detectjvm

Thanks,
- Mitch

Michel,

BTW, when I use IE to go to the linke for your KeyContainerTool, I am
getting an error:

Line 85: Object doesn't support this property or method:
'document.aplets(...).getAllCUContainers'

Any idea why, and how to fix this?

Thanks!




Michel Gallant wrote:

The Certificates panels "Export" dialog has a checkbox:
"Delete the private key if the export is successful"
which is *unchecked* by default (so private key container persists).

If you didn't check that box, you can use this web tool (requires CAPICOM)
to remove the unwanted key container (listed at bottom of page):
http://pages.istar.ca/~neutron/KeyContainerTool
The way this utility works is that any keycontainers (which contain protected
asymmetric keypairs) NOT currently associated with a certificate are listed
at end of display. So, if you look at the display, then delete a cert *without* deleting
the private key, and look at the display again, you will see a new keycontainer listed
at the bottom. That is the one you want to delete using the supplied text-field.

- Michel Gallant
Visual Security MVP

No, deleting the cert does not delete the provate key. to delete the
provate key, you have to export the key and delete or manually delete the
actual key file from the file system.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi,

I'm cross-posting this because I am not sure which group this belongs
in. My apologies.

This is a relatively quick question:

If I have a certificate installed on a system (Local Computer, Personal)
where there's initially a corresponding private key on the machine, and
I delete the certificate using the MMC-Certificates snap-in, does the
private key also get deleted from the machine?


More detail:

1) I used IIS to request a server certificate
2) When I got the certificate (as a .CER file), I used IIS Server
Certificate wizard to install the certificate from the .CER file.
3) If I use MMC Certificates snap-in to look at the certificate it shows
"You have the private key".
4) Using MMC Certificates snap-in, I delete the server certificate.
5) Then, using MMC Certificate snap-in, I import the original .CER file
into Local Computer, Personal store again.

Now, if I use MMC Certificate snap-in to look at the certificate in
Local Computer, Personal, the area where it said "You have the private
key" is BLANK (i.e., it thinks that the private key is not there).


The reason that I'm asking this is that I was doing some testing of
something else, and all of a sudden, the private key was missing. I
don't know exactly what I was doing (you know how it is when you're
testing), but I found that the above steps seem to reproduce the
condition of making the private key disappear.

I'm trying to understand this so that I can avoid this in the future, so
I hope that someone out there knows????


Thanks in advance!!

Jim

 

[Michel Gallant]

Hi Michel,

Despite the fact that I've run your JVM setter multiple times, and also
set it in IE itself, I noticed that when I use the "dump system
properties" from Java console (which is still popping up, BTW), it shows
the following lines:

java.vendor = Sun Microsystems Inc.
java.vendor.applet = true

For some reason, your setting is not using the MS JVM. Not sure why.
Can anyone else confirm this problem in W2k system? (or other system)?

Did you try to change the setting using the Tools | Internet Options | Advanced
instead of the hta script??

BTW, in the code on your page, in "Sub Initialize", you call
GetAllCUContainers, but there is not GetAllCUContainers. There is a
GetAllContainers, but no GetAllCUContainers.

The actual call is:
Containernames = document.applets(0).getAllCUContainers()
which calls the getAllCUContainers() method, which is contained in
the Java applet, not a script method.

- Michel Gallant

 

[Ohaya]

Michel,

Yes, I tried both ways (Tools, etc., and your web page). Still no joy....

 

[Michel Gallant]

I seem to recall someone else had this problem, and they had to
remove some registry settings and let IE recreate them.

Let's focus on what you want to do. Is it just the delete key container
functionality that you want?
- Mitch

 

[Ohaya]

Michel,

If you recall, the situation that caused me to make the original post was
that a private key had "disappeared", and I was trying to figure out what
happened. I think that you thought that you tool would allow me to see if
the private key had been "orphaned", and to maybe delete it.

BTW, if you can dig up any info on that situation you recalled, could you
post it. I know that this is off-topic, but now that I'm running into this
problem (not being able to switch to the MS JVM), it kind of bugs me.

Thanks!

 

[Ohaya]

Michel,

Did you remove the page for the link you posted? I uninstalled the Sun
JVM, and thought that I'd try again, but now I'm getting an HTTP 404
error...