RE: X509 Cert Services Cert

Hi Alex,

Not sure if this is the answer, but it helped me in a similar situation.
Taken from:
"HOL202 Exploring WSE 3.0 Security " Hands-On Lab

8. Ensure that the web service will have access to its private key in the
certificate store. This is an important step – if you forget to do this,
clients will likely see faults including rather cryptic error messages such
as “Bad Key”.
a. Run the WseCertificate3.exe tool which can be found in the \Program
Files\Microsoft WSE\v3.0\Tools directory.
b. For Certificate Location, choose Local Computer.
c. For Store Name choose Personal.
d. Click Open Certificate and you should see the WSE2QuickStartServer
certificate that you installed a few steps ago. Select it and press OK.
e. Press View Private Key File Properties to bring up the properties for the
private key for the certificate. Select the Security tab.
f. If you’re running on Windows XP, your web service will run under the
ASPNET local account by default, so grant read access to that account by
pressing Add, typing ASPNET, and then pressing OK.
g. If you’re running on Windows Server 2003, follow the same steps, except
specify “Network Service” instead of ASPNET. On the server OS, web services
run as Network Service by default.
h. Press OK to commit your change, and close the tool.


"Alex Trebek" wrote:

> Hello grp:
>
> Has anyone had any luck using Certificate Services generated certs and
> SecureConversation? For whatever reason, I am able to use our Verisign
> certs with no issue but receive a bunch of different errors when attempting
> to use our certificate server cert. I've seen a few posts about this but
> the people were referring to makecert generated certs for testing or their
> situation was not the same as mine. We are done with testing and I need to
> find a solution for production. If someone has done this successfully,
> would it be possible to describe the steps you've taken with setting up Cert
> svcs or your policy file.
>
> Steps I've taken:
>
> 1) verified that I have the private key in the appropriate places and
> permissions for ASPNET were granted.
>
> 2) used the trace to determine that the client message conforms to policy
> reqs (signed, key hash matches, encrypted, etc..)
>
> Thanking in advance,
>
> Alex
>
>
>
.

Relevant Pages

  • WSE 3.0 X.509 certs problem
    ... secure with these certs - no rocket science here. ... Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureMessage(SoapEnvelope envelope, Security security) ... if the certificate has been properly installed in the Trusted People ... HttpContext context, HttpRequest request, HttpResponse response, Boolean& ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: WSE 3.0 X.509 certs problem
    ... "1) Did you check the "allow test root" option on the security page for the ... secure with these certs - no rocket science here. ... if the certificate has been properly installed in the Trusted People ... Or you might want to set allowTestRoot configuration ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: WSE 3.0 X.509 certs problem
    ... Please I need your help because you had done a lot of experimenting with WSE ... secure with these certs - no rocket science here. ... Microsoft.Web.Services3.Security.SecureConversationServiceSendSecurityFilter.SecureMessage(SoapEnvelope envelope, Security security) ... if the certificate has been properly installed in the Trusted People ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: ADFS and Certificate Services
    ... ADFS even allows you to do client certificate ... Joe Kaplan-MS MVP Directory Services Programming ... We just want to be able to give out certs to our own ... sub-CA on the internet for employees to access remotely to get certs. ...
    (microsoft.public.windows.server.active_directory)
  • Re: 2 Factor Authentication with VPN
    ... I once heard a security guy call certificates "1 and a half ... and if your users want to use a kiosk for example, certs are out. ... your network with strong authentication, ... I have tried using Microsoft Certificate Services and can't ...
    (microsoft.public.win2000.ras_routing)