Object contains only the public half of a key pair. A private key

I am attempting to call a webservice secured with the WSE 3.0 toolkit and am
receiving the following error message. My assumption is that I installed the
certs in the wrong location. I placed my public + private key cert in the
localmachine my store and placed the customer's public key in the
localmachine address store. I used cert tools to grant everyone full access
to my cert on the machine.

<?xml version="1.0" encoding="utf-8"?>
<log>
<outputMessage utc="7/5/2006 6:34:50 PM"
messageId="urn:uuid:27867ccf-fcc5-400e-ba0c-739e005ab59d">
<processingStep description="Unprocessed message">
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
<soap:Body>
<Dispatch xmlns="http://xxx/webservices/";>
<messageType>test</messageType>
<correlationId>test</correlationId>
<messageBody>test</messageBody>
<userName>test</userName>
<applicationName>test</applicationName>
<instance>test</instance>
<postBackUrl>test</postBackUrl>
</Dispatch>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingStep description="Entering SOAP filter
Microsoft.Web.Services3.Design.MutualCertificate11Assertion+ClientOutputFilter" />
<processingStep description="Exception thrown: Object contains only the
public half of a key pair. A private key must also be provided."> at
System.Security.Cryptography.RSACryptoServiceProvider.SignHash(Byte[]
rgbHash, String str)
at
Microsoft.Web.Services3.Security.Cryptography.RSASHA1SignatureFormatter.SignHash(Byte[] rgbHash)
at
Microsoft.Web.Services3.Security.Cryptography.RSASHA1SignatureFormatter.Sign(Stream data)
at
Microsoft.Web.Services3.Security.MessageSignature.BuildSignedInfo(SignatureFormatter formatter)
at
Microsoft.Web.Services3.Security.MessageSignature.ComputeAsymmetricSignature(AsymmetricKeyAlgorithm key)
at Microsoft.Web.Services3.Security.MessageSignature.ComputeSignature()
at Microsoft.Web.Services3.Security.Security.SerializeXml(SoapEnvelope
document)
at Microsoft.Web.Services3.Security.Security.Execute(SoapEnvelope envelope)
at
Microsoft.Web.Services3.Security.SendSecurityFilter.ProcessMessage(SoapEnvelope envelope)
at Microsoft.Web.Services3.Pipeline.ProcessOutputMessage(SoapEnvelope
envelope)</processingStep>
</outputMessage>
</log>

My policy file is as follows:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy";>
<extensions>
<extension name="mutualCertificate11Security"
type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="x509"
type="Microsoft.Web.Services3.Design.X509TokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="MyPolicy">
<mutualCertificate11Security establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="true"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true"
ttlInSeconds="300">
<clientToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=PublicKeyClient" findType="FindBySubjectDistinguishedName" />
</clientToken>
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="AddressBook"
findValue="E=webfarm@xxxxxxx, CN=XXX, OU=Information Technology, O=Compl
Inc., L=Austin, S=TX, C=US" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
</policies>

.

Relevant Pages

  • Re: Accessing certificate store from ASP.NET web project
    ... the cert must be in the local computer/personal) store - it will then open ... Have a look at the source code to open the right cert store... ... One of the locations requires a x509 certificate in order ... different user context than my vb.net web project. ...
    (microsoft.public.dotnet.security)
  • Re: Need advice: Storing EFS, S/MIME, VPN certs on USB token
    ... into the OS's secure store. ... > your encrypted files on the same device as the encrypted files. ... > Granted, it is protected by the master key encrypting the cert store, ... > So I turn to USB devices. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ADAM wirh SSL
    ... The cert is in both the local machine personal store and trust roots store, ... Unfortunately, I have 174 files in my machinekeys directory, so I'm not ... I'd like to be able to find the root cause instead of giving ...
    (microsoft.public.windows.server.active_directory)
  • Re: Outlook over internet RPC not working
    ... The cert was already in that store, ... same certificate, and then regardless of the configuration on the working ... Checked all Outlook over the Internet settings? ...
    (microsoft.public.windows.server.sbs)
  • Re: Exporting/ importing certificates
    ... Sorry - I guess I didn't see "import successful" in the earlier thread. ... I wonder if somehow there's already a copy of the cert in the store that's ... >>Likewise if I run install cert ...
    (microsoft.public.security)
Loading