I am evaluating CTW with a custom CA.
When providing a CSR and specifying a deployment task to export the “PFX” or “Full Certificate Chain including private key” the exported data contains a private key which does, and apparently cannot, has any corresponding public key in the certificate chain.
What is this private key used for? In my opinion the exported data should not contain any private key when providing a CSR.
Thanks in advance!
Hi, thanks for raising this. The export task is distinct to the certificate creation process, so it just sees the resulting PFX and exports it into component parts, it doesn’t know there was Custom CSR. You can either set a Custom Private Key (where you set the Custom CSR) to set the correct key, or just discard the key file that gets exported.
The custom CSR feature is so very rarely used (it was only really added to support SAP) that it’s unlikely we would refine that a lot more at this stage, and we would more likely just update our documentation to mention this quirk.
Out of interest, why are you using a Custom CSR?
Thanks for the reply!
For example when the certificates private key resides on a HSM, as it should 
Take the following just as my opinion:
I really advise to not export any private key in this case. I do not even understand why a private key is generated in the first place. The change should be as easy as checking if a CSR is provided and then to not generate a private key. The export process then could take a parameter to check if the private key was generated. This should be easily possible as at the certificate creation process is known if a CSR was provided or not.
And how would that be documented? To formulate it intentionally negative: “When providing a CSR without its corresponding private key CTW certificate export format contains a private key which is completely unrelated to the process. This is due to CTW internal structure.”
Do not get me wrong, I highly appreciate the work your doing with CTW! But I hope you understand my point and may adjust CTW accordingly.
Thanks, we’ll give that some further consideration