1

I'm familiar with the process of installing an SSL Certificate in IIS, but recently have received certs from a client consisting of *.p7b/s and *.crt files without having generated the original CSR on my server OR having an exported PFX file from the server that generated the original CSR for the certificate.

As I understand it, the private key is generated and stored locally on the requesting server when the CSR is requested. Then when you complete the request (on the same machine), the chain is completed upon installing the .cer/.crt/*.p7b file you get back from the CA.

Is it possible to install the generated certificate received back from the CA on a different IIS server w/o the private key that was used in the original request. The only reason I'm posting this is that I'm 99% sure that this isn't possible, but I wanted to confirm as I'm not finding a lot of solutions.

I've seen solutions where you can use openssl to generate the pfx file yourself, but that requires the *.key file, which again, I do not have.

Thanks for help.

Skowronek
  • 123
  • 1
  • 5

1 Answers1

1

You are correct that the Private Key is generated when the CSR is created. Alot of people seem to have trouble grasping that concept, but it looks like you understand all of this quite well.

If you did have the private key, along with the corresponding public certificate, yes, you can install them onto other servers/appliances/etc. It does not need to be installed on the machine that performed the CSR. Some systems will want both the key and pub cert in a PFX or similar, and other systems will want you to split them up into a .cer file and a .key file. That is where OpenSSL comes into play.

The short answer here is: Yes, you do need the private key to really do anything.

Dre
  • 1,710
  • 7
  • 12
  • Thanks. I've already requested the exported PFX from my client, which is normally what I'm used to receiving. – Skowronek Jun 07 '17 at 00:39