Certificate blues

by plykkegaard 22. februar 2011 21:56

Overview

Currently I am trying to figure out how we can implement the OIOSI/RASP Framework (OIO Service oriented Infrastructure/Reliable Asynchronous Secure Profile)

The framework supports reliable, secure E-Business using open standards. Including components for web service calls, non-repudiation, UDDI-registries and a standardized subset of the UBL 2.0 business document profile. Supported for .Net and java.

Among other things I need to install various certificates for use with services such as eg IIS to handle encrypted messages and this have given me some headaches as I haven't used them much until now
Obviously the documentation is takes the wrong path and not very well written, haven't we seen that one before once or twice

Googling around gave me some pieces of advice but not the full picture, by pure luck I found a topic at stackoverflow.com and some comments by Željko Tanovic and I managed to solve but also understand the problem

The problem

I had two errors "key does not exist" because IIS couldn't find the private key file and "invalid handle" caused by missing user privileges

First mistake being misled by the documentation was to install in the personal store and move the certificate to the localmachine store, the private key was installed in the current user folder and inaccessible by the IIS service accounts
Second was missing user privileges and straight forward to fix as soon as the first problem was solved

While troubleshooting you can use FindPrivateKey to get current location of the private key file. FindPrivateKey is part of the Windows Communication Foundation (WCF) and Windows Workflow Foundation (WF) Samples for .NET Framework 4

You can add root LocalMachine -t "db e0 d9 a8 1f 2c a2 ed 05 c7 55 81 64 68 a6 72 fb 44 e4 0a" to the debug project property tab and the console in the debugger to the path you need
Please note, the documentation gives you also an extra -c at the end, but this additional parameter causes an if statement to fail and nothing is found

Folder for private keys when the ceritificate is imported in the personal store
C:\Documents and Settings\<user>\Application Data\Microsoft\Crypto\RSA

Folder for private keys when the ceritificate is imported to localmachine store
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Solution: Import certificates

Steps when importing certificates which is used by services such as eg IIS

  • Import certificate to the localmachine store (root / Trusted Root Certificate Authorities)
  • Check that the private key file is stored in the MachineKeys folder by using the FindPrivateKey tool
  • Set apprioprate user privileges for your service accounts, eg ASPNET and user account running the Application Pool

Problem solved - Well at least I can see my webservice page in IE Cool

Update! Instead of all the hazzle setting the access rights manually you can also use the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe)
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=19801

Command line:

C:\Program Files (x86)\Windows Resource Kits\Tools>winhttpcertcfg 
             -g -c LOCAL_MACHINE\My -s MyWebSite -a DefaultAppPool

Tags: , , ,

Certificates | OIOSI | RASP

Comments are closed

License

All work downloaded from this site are licensed under the GNU AGPLv3 License

Calendar

<<  maj 2017  >>
mationtofr
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234

View posts in large calendar

About me

I am yet another .NET developer (C#), experienced in various integration projects
  • Datacollection in the warehouse using pick by voice (VoCollect) or rf scanners (Psion Teklogix)
  • Electronic data exchange using Biztalk 2006 R2
Other cool stuff I have worked with in the past and present and will be working with in future

RecentPosts

RecentComments

None

Tracking