My particular situation applies to Windows but I welcome knowing how this would differ from other practical applications. The subsets contain information that I'm basing my logic on, please correct them if I am mistaken.
Here is what I'm doing:
- From Exchange Management Shell, I generate a certificate request.
i. At this point, a private key is generated. - I approve the request on the Certificate Authority.
i. The CA never sees my private key. - I obtain the certificate (.cer) from the CA and install it to the local machine certificate store.
i. The private key is automatically merged with the corresponding certificate.
In step one: Where does the private key currently reside?
In step three: Does the private key still reside in the same location as in (1), or is it now only present within the certificate?
How can you merge this private key with the certificate other than importing it into the store?
Best Answer
For the most part key+certificates are stored in the registry. This microsoft article covers many of the paths, and here is a blog about certificate locations.
A few per-user key+certificates pairs get stored onto the filesystem. See
If you don't want to use the Exchange managment shell there are many tools to manage certificates. The linked article mentions Certutil, you could open up the Certificate Manager console.
I don't know all the details about how exactly Windows physically stores the keys and certificates, but you can certainly create a private key using a tool like OpenSSL, create a signing request and forward that to a CA. Once you get the certificate from a CA, then you can import the private key and certificate into Windows. Typically you would do this by converting the key and certificate into a pkcs12 file and importing that.
The pkcs12 file and a some other, the key and certificate may be stored in the same registry blob, or the same file, but they will always be separate entities, with the correct tools you will be able to extract them and separate them.