


I'm in the process of connecting to an external server and am making a CSR to receive some certificates from them, and I have some questions regarding this.


Some tutorials state that you should save the private key as this will be used during installation of the certificate. However when using the Windows certificate manager (certmgr.msc) I think it generates the private key under the hood, and the resulting CSR-file does not contain any private key. So in that case I won't have access to any private key at all, unless I can export it from the certificate I receive later? I was also under the impression that a private key is not needed for installation of the certificate as it is just imported into the certificate store? If that's the case, does the private key have any use besides generating the public key?


I was also wondering about the location the certificate can be used. It seems that the certificate can only be used on the server that the CSR was created. However, my application will run on Azure so how can I get a certificate that can be used in the cloud?


Last question: The certificate provider supplies three certificates, one root, one intermediate and one "actual" certificate. What is the purpose of these different certificates?


Appreciate any insight or guiding to this process. There are a tons of guides out there, but many of them seem to contradict each other in some way or another.


(certmgr.msc) I think [] generates the private key under the hood,

正确.您生成密钥 CSR,将其发送给CA,(我们希望!)取回包含您的公钥和身份的证书(对于SSL/TLS,您的身份是您的域名),以及所有需要的链证书(通常是一个中间证书和一个根证书,但这可能有所不同).您将证书导入到certmgr中,该证书与现有的已存储但隐藏的私钥匹配,以生成cert + privatekey的 pair 对,该私钥现在可见且可用.

Correct. You generate the key and CSR, send the latter to the CA, and (we hope!) get back a cert containing your publickey and identity (for SSL/TLS your identity is your domain name or names), plus any needed chain certs (usually one intermediate and a root, but this can vary). You import the cert to certmgr, which matches it up with the existing, stored but hidden privatekey to produce a pair of cert+privatekey which is now visible and usable.

要在Windows程序(如IIS)中使用此证书,您还需要存储中的 chain 证书(请参见下文),因为这些证书仅是私钥而不是私钥(s),您没有,也没有得到.如果您使用已建立的公共CA(例如Comodo,GoDaddy,LetsEncrypt),则其根目录通常已经在您的商店中,并且如果您使用由雇主运行的CA,则其根目录可能已经在您的商店中诸如电子邮件之类的原因;如果没有,您应该添加它.中间产品可能已经存在或可能尚未在您的商店中,如果没有,您应该添加它们.

To use this in a Windows program, like IIS, you also need the chain cert(s), see below, in your store -- for these just the cert(s) not the privatekey(s), which you don't have and can't get. If you use an established public CA like Comodo, GoDaddy, LetsEncrypt their root is usually already in your store, and if you use a CA run by your employer their root may well be already in your store for other reasons such as email; if not you should add it. The intermediate(s?) may or may not already be in your store and if not you should add it(them).


I was also under the impression that a private key is not needed for installation of the certificate as it is just imported into the certificate store?

需要 ,但是您不需要提供,因为它已经存在.

It is needed, but you don't provide it, because it's already there.


It seems that the certificate can only be used on the server that the CSR was created. However, my application will run on Azure so how can I get a certificate that can be used in the cloud?


Initially, it is usable only on the system where the CSR and privatekey were generated. But using certmgr you can export the combination of the certificate and privatekey, and optionally the cert chain (which export wizard calls 'path'), to a PKCS12/PFX file. That file can be copied to and imported on other Windows systems and/or used by or imported to other types of software like Java (e.g. Tomcat and Jboss/Wildfly), Apache, Nginx, etc.


Note however that the domain name or names, or possibly a range of names matching a (single-level) wildcard, that you can use the cert for is determined when the cert is issued and can't be subsequently changed (except by getting a new cert).


The certificate provider supplies three certificates, one root, one intermediate and one "actual" certificate. What is the purpose of these different certificates?


Certificate Authorities are arranged in a hierarchy. Running -- particularly securing -- a root CA is difficult and expensive. As a result certs for end-entities (like you) are not issued directly by the root, but by a subordinate or intermediate CA. Sometimes there is more than one level of subordinate or intermediate. Thus when your server uses this certificate to prove its identity, in order for the browser or other client to validate (and thus accept) your cert you need to provide a 'chain' of certificates, each one signed by the next, which links your cert to the trusted root. As I said, one intermediate is common; this means your server needs to send its own cert, which is signed by the key in the intermediate, plus the intermediate cert, which is signed by the key in the root. The root needn't actually be sent, because the client already has it in their truststore, but it may be, and it is also desirable to validate the chain yourself before using it and for that you need to have the root even if you don't send it.