Moving Keys and Certificates

Your private key and public key certificate are saved on the computer from which you enrolled in the PKI system. For the purposes of web authentication it is possible to enroll more than once, but this can be confusing for other uses of PKI like encryption and digital signature. In those cases it is preferrable to use the same private key and public key certificate on multiple web browsers and computers. This page explains how to move your PKI private key and personal certificate to another web browser or computer. There are 3 steps, exporting the keys to a file, transferring the file and importing the keys into another configuration. Because the applications of a PKI rely on keeping your private key "private", the process for doing this keeps the information encrypted as it is being moved.

The PKCS standards define a format called PKCS #12 for transferring a private key and a public key certificates. (A PKCS #7 file is used to transfer only public key certificates and NOT the private key.) PKCS #12 is supported by Nestcape, Mozilla and versions of Internet Explorer after 5.5. On Windows, the filetype .pfx is a synonym for the .p12 file type used by Netscape/Mozilla. Some older versions of Windows need file extension definitions to be added for ".p12".

A PKCS #12 file includes a password-encrypted envelope to protect the private key. This password is used only for this file and has no connection to the password used to secure your keys in your web browser or operating system key storage. The password is created when you create the .p12 export file and must be provided to decrypt the contents when you import the file somewhere else. The key export and import functions are usually part of the user interface provided to manage certificates in web browser. Be sure to transfer the binary file by a method that doesn't mistakenly convert it to text. This is easy to do since the settings in many programs default to "text" files. The file can be e-mailed as a binary attachment, transferred as a binary file with FTP or copied to and from a removable or shared disk. A copy of a PKCS #12 file containing your provate key and certificate the on a removable disk can be a useful backup if the hard disk on your computer fails.

Certificate Export/Import

Instructions for the most common browsers are provided here. Web Browsers that support personal PKI certificates will have similar features that should be easy to find.

Using Mozilla 1.x and Netscape 7.x on Windows, Mac or Linux:

• select the "preferences" item on the "edit" menu (or "Mozilla" menu on Mac OS X).
• select the category: "Privacy & Security"
• select the sub-category: "Certificates"
• in the window pane to the right, click the "Manage Certificates" button
• click the "Your Certificates" Tab in the displayed window
  • To export:
    • select the certificate
    • click the "Backup" (button)
    • in the dialog "File Name to Backup", enter a file name and choose the format "PKCS 12 Files" in the menu
    • an alert will display the message "Please enter the master password for the Software Security Device"
    • enter the password for your certifcate store to authorize the key transfer.
    • The next window prompts "Choose a Certificate Backup Password". Fill in both blanks with the same password (which protect the keys in transit), click OK
    • Finally an alert reports "Successfully backed up your security certificate(s) and private key(s)"
  • To import:
    • click the "Import" (button)
    • in the dialog, select the file containing the certificate you want to import
    • in response to the alert "supply the password for the .p12 file" provide the .p12 file password
    • in response to the alert "supply the password for your security device" provide the password for your certifcate store

Using Netscape 4.7X on Windows, Mac or Linux

• Click the "Security" button located on your icon bar. If you do not see the "Security" button, use the pull down menus: Communicator -> Tools -> Security Info.
• select the Certificates category on the left
• select the "yours" tab
  • To Export
    • select the desired certificate
    • click the "Export" button
    • an alert will prompt "Please enter the password or the pin for the Communicator Certificate DB"
    • Enter password to be used to protect the data being exported
    • Re-enter the password to confirm it
    • In response to "File Name to Export", enter a name for the file (the file type .p12 is automatically appended)
    • A Confirmation alert "Your Certificates have been successfully exported" is displayed.
  • To Import
    • Click the "Import" a certificate button.
    • in the file dialog that is displayed, select the file containing the certificate you want to import
    • in response to the alert "Enter the "password protecting the data to be imported" supply the password for the .p12 file
    • in response to the alert "Please enter the password or the pin for the Communicator Certificate DB" supply the password for your Communicator Certificate DB

Using Internet Explorer 5.5 and 6.0.x

• To export a certificate, choose the "Tools -> Internet Options" menu item.
• Select the "Content" Tab, then click the "Certificates" button.
• Select the "Personal" Tab
  • To Export
    • Select the certificate you want to export and Click the "Export" button.
    • The Certificate Export Wizard will open, click "next".
    • In the window titled "Export Private Key", choose "Yes, export the private key", click "next"
    • In the "Export File Format" window, choose the radio button for the format "Personal Information Exchange - PKCS #12 (.PFX)"
    • and set the settings as shown below:
      • ( ) include all certificates in the certification path if possible
      • (X) Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above)
      • ( ) Delete the private key if the export is successful
    • click "Next"
    • in the "Password" window, type and confirm a password for the export file, click "next"
    • in the "File to Export" window, specify the name of the file you want to export, click the browse button, to select a folder, fill in the name (save as type Personal Information Exchange *.pfx), click "save", then click "next"
    • a confirmation window "Completing the certificate Export Wizard" reports "You have successfully completed the Cetificate Export Wizard"
    • The window displays "You have specified the following settings", click "Finish"
    • a popup window titled "Exporting your private exchange key!" appears reporting "An application is requesting access to a Protected Item"
    • if a password was assigned for the key (whose name is displayed) when it was saved, enter the password for the Key and click "OK"
    • an alert will report "The export was successful", click OK
• To Import, click the "Import" button
  • The window "Welcome to the Certificate Import Wizard" opens, click "next"
  • In the "File to Import" window, specify the name of the file you want to import, click the browse button to select the folder, then the file name, click "Open", then click "Next"
  • In the "Password" window, type the password for the private key file
    • check the setting "Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option"
    • Check the private key is "exportable" setting if you want to be able to reverse this process
  • click "Next"
  • In the "Certificate Store" window select the option below:
    • (X) Automaticallyselect the certificate store based on the type of certificate
    • ( ) Place all certificates in the following store
  • Click "Next"
  • A window titled "Completing the Certificate Import Wizard" is displayed in which you can review the settings made. Click "Finish"
  • a window titled "Importing a new private exchange key!" will popup.
    • it reports "An Application is creating a Protected item"
    • "Set Security level to Medium [Set Security Level]"
    • click the "Set Security Level" button, choose the protection level, "High" is recommended.
      • High Request my permission with a password when this item is to be used
      • Medium Request my permission when this item is to be used
      • (disabled) Low
  • Click "Next"
  • the window titled "Importing a new private exchange key!" will return if you selected "High" asking you to "Create a password to protect this item." Fill in a name for the item and create and confirm a password.
    • Password for: [ ]
    • Password: [ ]
    • Confirm: [ ]
  • click "Finish"
  • the window titled "Importing a new private exchange key!" will return, click "OK"
  • Finally the Certificate Import Wizard displays an alert reporting "The import was successful"