How to Locate Private Key After CSR Generation with certreq on Windows 10 for Node.js Express Server


2 views

When using certreq on Windows 10 to generate Certificate Signing Requests (CSRs), many developers face confusion about private key storage. Unlike OpenSSL which explicitly saves private keys, Windows handles this differently through its cryptographic store.

The private key is automatically generated during CSR creation but remains hidden in the Windows Certificate Store. To access it:

# PowerShell command to list certificates with private keys
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.HasPrivateKey }

To use the key with Node.js Express, you'll need to export it as a PFX/PKCS#12 file:

1. Open mmc.exe → Add/Remove Snap-in → Certificates → Computer account
2. Navigate to Personal → Certificates
3. Right-click your certificate → All Tasks → Export
4. Select "Yes, export the private key"
5. Choose PFX format with strong password protection

For better Node.js compatibility, consider these alternatives:

Using OpenSSL for Windows

openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr

Node.js Crypto Module

const crypto = require('crypto');
const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
  modulusLength: 2048,
  publicKeyEncoding: { type: 'spki', format: 'pem' },
  privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
});

For production Node.js servers:

  • Never store private keys in version control
  • Use environment variables for key paths
  • Set strict file permissions (400) on key files
  • Consider using hardware security modules (HSMs) for enterprise deployments

When generating a Certificate Signing Request (CSR) using Windows' built-in certreq utility, many developers face confusion about the private key location. Unlike OpenSSL which explicitly saves private keys, Windows handles this differently through its certificate store.

The private key is actually generated during CSR creation but remains in the Windows Certificate Store. To find it:

certmgr.msc

Navigate to: Personal > Certificates. The associated private key will be marked with a key icon. Right-click the certificate > All Tasks > Export to save it as a .pfx file with private key.

For Node.js development, you might prefer these alternatives:

Using OpenSSL via Windows Subsystem for Linux

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

PowerShell Approach

$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -DnsName "yourdomain.com" -KeyUsage KeyEncipherment -KeySpec KeyExchange
$csr = [System.Convert]::ToBase64String($cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::CertReq))

Once you have your certificate files, here's how to use them in Express:

const https = require('https');
const fs = require('fs');
const express = require('express');

const app = express();

const options = {
  key: fs.readFileSync('server.key'),
  cert: fs.readFileSync('server.crt')
};

https.createServer(options, app).listen(443);
  • Always backup private keys immediately after generation
  • Set proper file permissions (400) on key files
  • Consider using hardware security modules for production environments
  • Never commit private keys to version control