hi! if we talk about certificate what we have is: private keypublic keycertificate information signed by CA during the renewal there is possibility to reuse private key. i read some scenarios why to do that and i think i understand the idea. the question is: if we choose to reuse private key does the public key changes or is reused as well? is the public key related to certificate information [is it some kind of certificate hash?] and just to be sure that i understand: after renewing with the same private key there might be situation that some ppl still have old public key/old certificate. i somehow need to distribute new public key - right? after renewing cert with the same private key i will be able to decrypt/verify data signed by both public keys [if there are two]: old one and new one?-o((: nExoR :))o-

> does the public key changes or is reused as well? no. Public and private keys are mathematically associated so when you encrypt the data by using one key, an opposite key can decrypt the data. Therefore if you change any of a key (public or private) a new opposite key is required. > is the public key related to certificate information [is it some kind of certificate hash?] Public key is a mandatory field of any X509 certificate. > after renewing with the same private key there might be situation that some ppl still have old public key/old certificate. i somehow need to distribute new public key - right? no. If you decide to reuse the keys, then both keys remains the same. > after renewing cert with the same private key i will be able to decrypt/verify data signed by both public keys [if there are two]: old one and new one? the question is incorrect. As said, for any key (public or private, really doesn't matter) exist only one opposite key due to complex mathematical algorithms. Therefore it is not possible to have one private key and 2 or more public keys.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

yes, PEM file may contain private key. When you export registry store, you export only public parts, because private keys are stored on a filesystem and are protected by CSPs. But when you export to PFX (pkcs#12), the private key is exported (in a protected form) with a public certificate.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki