Re: X509 Certificate encryption problem

From: Hervey Wilson [MSFT] (herveyw.nospam_at_nospam.microsoft.com)
Date: 09/27/04 

Date: Mon, 27 Sep 2004 08:05:36 -0700

Oldman wrote:
> I understand about that problem. However, I have installed my certificates
> that were created with makecert.exe in exactly the same way as my other test
> certificates (WSE test certs and Verisign cert) and it still doesn't work. I
> have also configured my Web service to look in the local machine store not
> the personal store and given access to the certificates to the ASP .NET user
> account. I have even tried giving complete access to Everyone for the private
> key storage and it still doesn't work.
>
> Are you sure it has nothing to do with the fact that I am creating my own
> certificates with Makecert?
>
> Thanks,
>
> Oldman
>
>
>
> "Hervey Wilson [MSFT]" wrote:
>
>
>>It doesn't work because the ASP.NET process is not running with your userid.
>>Under Win2k and WinXP, ASP.NET runs as the ASPNET user account (typically)
>>and does not have a personal certificate store. Server certificates (with
>>private keys) should be stored in the LocalMachine store. For the client to
>>access this certificate, it should also be imported (without private key)
>>into either the clients Personal store or Other People store. For Win2003,
>>the ASP.NET process generally runs as Network Service, follow the same rules
>>as above to install the certificates.
>>
>>The error message below means that the server was unable to locate the
>>certificate used to encrypt the message: the client sends a reference to
>>this certificate and the server must be able to retrieve it from it's store:
>>your Personal store is not accessible to the server, hence the error
>>message.
>>
>>If you need more information, the details of installation of certificates is
>>covered in both the documentation and the readme file for the samples.
>>
>>--
>>This posting is provided "AS IS", with no warranties, and confers no rights.
>>
>>
>>"Oldman" <Oldman@discussions.microsoft.com> wrote in message
>>news:882AEAE2-0DFF-43E9-BDD1-D528E1F4B350@microsoft.com...
>>
>>>I have created a self signed certificate and installed it into the root
>>>certificate store.
>>>I have then created two other certificates (a client certificate and
>>>server
>>>certificate) and signed them with the self signed certificate. I
>>>installed
>>>these into the personal store.
>>>When I encrypt the SOAP message using the server certificate and send it
>>>to
>>>the server I get the following error message:
>>>
>>>Microsoft.Web.Services2.Security.SecurityFault: Referenced security token
>>>could not be retrieved at
>>>Microsoft.Web.Services2.Security.EncryptedKey.LoadXml(XmlElement element)
>>>at
>>>Microsoft.Web.Services2.Security.EncryptedKey..ctor(XmlElement element) at
>>>Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement element) at
>>>Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapEnvelope
>>>envelope) at
>>>Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope
>>>envelope)
>>>at
>>>Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapServerMessage
>>>message)
>>>
>>>
>>>Why doesn't this work?
>>>
>>>Thanks,
>>>
>>>Oldman
>>
>>
>>

There could be a couple of things going on here.

How did you install the certificates into the various stores? The usual
method is to import them into using the MMC, however this also allows
you to copy/paste certificates between stores. If you use the copy/paste
method, we suspect that the MMC only copies the certificate, not the
private key and this can lead to errors at runtime.

You also need to have allowTestRoot enabled in you config file; the
error above doesn't indicate that this is the problem but it's worth
checking.

Finally, if you've tried to do this several times using makecert
generated certificates, I'd suggest that you take the time to clean up
the stores and then import again from scratch. 

-- 
This posting is provided "AS IS", with no warranties, and confers no rights.

Relevant Pages

  • Re: CAPICOM VB Newbie seeks help
    ... Signing operations use the certificates private key, ... AD store should have privates keys associated with them so CAPI can not ...
    (microsoft.public.platformsdk.security)
  • Re: Microsoft CA not installing trusted root path in local computer store
    ... > I installed a standalone root CA, I use it to validate vpn l2tp/IPSec> conections, the problem is that when I try to install the root ... > certification path for the CA in the client machine > using the web page, it is installed in te user certificates store, and> not in the local computer certificates store. ...
    (microsoft.public.win2000.security)
  • Re: How do you associate private key with import cert?
    ... IE certificates panel and Certs snapin use. ... panel is that the IE display is filtered (i.e. in MY store, ... and select to include the private key (only possible if the private key has ...
    (microsoft.public.dotnet.security)
  • Unable to install certificates and unable to patch
    ... We have three terminal servers that we are not able to install MS ... Timestamping CA" certificates. ... When specify it to put them into the Trusted Root Certificate store I get ...
    (microsoft.public.windows.server.general)
  • Terminal servers missing required certificates
    ... We have three terminal servers that we are not able to install MS ... Timestamping CA" certificates. ... When specify it to put them into the Trusted Root Certificate store I get ...
    (microsoft.public.security)
Loading