I am trying to import an RSA Key.
I open cmd prompt in Admin mode, go to C:\Windows\Microsoft.NET\Framework64\v4.0.30319 and my command is as follows: aspnet_regiis - pi "Key" "S:\RSAKeys\Key.xml" -pku
This is the exact same command that my coworker used and it worked perfectly for him. When I try it though, I get "Importing RSA Keys from file..Unable to find the specified file. Failed!"
What could be different between our machines?
I have also tried different things (removing the -pku, trying it not as admin, etc.) but in the end it doesn't fully work.
Trying it not as admin with -pku will say succeeded (but then when I try to use the service, it errors with "The RSA key container could not be opened"). Trying it not as admin without -pku will error with "Access is denied."
Edit 1: Looks like a read perms issue between S drive and C drive maybe. Putting the file on the C drive was able to succeed the import but still receiving an error from the service that uses the import saying the rsa key container could not be opened.
Final Edit: After some research, I discovered that I needed to change permissions. I used these documents to help: https://serverfault.com/questions/293416/the-rsa-key-container-could-not-be-opened-windows-server-2008-r2 http://austrianalex.com/rsaprotectedconfigurationprovider-not-recommended-for-children-under-5.html The RSA key container could not be opened
Unfortunately, none of them fixed the problem. Somehow, the RSA key was imported where even the Admin group didn't have the permissions it needed to change permissions. So I went and found the RSA key under the C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys folder. I had originally tried giving the Administrator group (which was only me anyways) full permissions but received a Safe Handle Error and had to remove that.
Finally, I added myself (not the administrator group) with full permissions and it worked. Thanks #Thymine for pointing me in the right direction!
Related
these are the steps i did :
1- created a keypair.
2- downloaded the keypair and used puttygen to generate a private key
3-created a new instance using the orion-psb-image-R5.4 image for a context broker.
4-created a security group and added a rule that opened the ssh port
5- associated a floating ip to that image
6-tried to access the image from putty using the floating ip and the private key generated in step 2
putty gives me this error:
Disconnected : No supported authentication methods available (server sent:publickey).
I would like to know how to solve this issue and understand the reason for it.
update:
Screen shots:
1.loading the downloaded keypair into puttygen
2.the downloaded keypair file from fiware lab (keypair.pem) and the generated private key
3.entering the floating ip for the contextbroker instance
4.loading the generated private key to use during connection establishment
5.the error message when i try to connect
Seems to be a problem with key generation or Putty configuration. Unfortunatelly, the question post doesn't include enough detail to provide a more precices anser.
I'd suggest you to edit your question post to include full detail of each step you have done (even including screenshots as you go).
EDIT: use centos as user login instead of root
I have github on Windows-7. The github doesn't seem to allow me to check in code as something is messed up.
I did try changing the credentials & so forth by looking up online but nothing seems to work.
I still see the Bad credentials error alongside some wamp developer errors.
I don't know how wamp developer is related to GitHub.
I did have WAMP developer once upon a time on the PC.
The log file for the attempt is here: Github log file.
The error:
2016-03-22 12:44:50.7329|
ERROR|thread: 5|StartupLogging| MISSING PATH!!: 'C:\WampDeveloper\Components\Apache\bin'
That simply means your %PATH% currently reference one non-existent path: you could clean-up your environment variable PATH which is currently quite large.
This is not-blocking for GitHub Desktop though.
The other error is linked to a key previously used for:
Logged user r... off of host 'https://<server_url>'
When that key "C:\Users\ffgr.ghjk\.ssh\github_rsa" is used to authenticate to github.com does not work.
Make sure that key (the public one github_rsa.pub) is added to your GitHub account: "Adding a new SSH key to your GitHub account"
I am not sure either what I am trying to do is possible or correct way.
One of my colleague spinup kubernetes gce cluster (with 1 master and 4 minions.) in a project which is shared with me as owner access.
After setup he shared his ~/.kubernetes_auth keys along with .kubecfg.crt, .kubecfg.ca.crt and .kubecfg.key. I copied all of the at my home folder and setup the kubernetes workspace.
I also set the project name as a default project in geconfig. and now I can connect to the master and slaves using 'gcutil ssh --zone us-central1-b kubernetes-master'
But when I try to list of existing pods using 'cluster/kubecfg.sh list pods'
I see
"F1017 21:05:31.037148 18021 kubecfg.go:422] Got request error: Get https://107.178.208.109/api/v1beta1/pods?namespace=default: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "ChangeMe")
I tried to debug from my side but failed to come any conclusion. Any sort of clue will be helpful.
You can also copy the cert files off of the master again. They are located in /usr/share/nginx on the master.
It is probably due to a not implemented feature, see this issue:
https://github.com/GoogleCloudPlatform/kubernetes/issues/1886
you can copy the files from /usr/share/nginx/... on the master
into your home dir and try again.
I figured out a workaround: set the -insecure_skip_tls_verify option
In kubecfg.sh, change the code near the bottom to
else
auth_config=(
"-insecure_skip_tls_verify"
)
fi
Obviously this is insecure and you are putting yourself at risk of a man in the middle attack, etc.
I am trying to install a certificate on my local machine (Win Server 2003) with the X509Certificate2 class in a C# test console application. When I install the certificate with the following code, everything is fine:
var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite);
cert = new X509Certificate2(certificatePath);
serviceRuntimeMachineCertificateStore.Add(cert);
serviceRuntimeMachineCertificateStore.Close();
Problem is, that the private key of the certificate is not persisted, when installed without the X509KeyStorageFlags.PersistKeySet. So I tried to instanciate the certificate like this (the private key has no password, so I pass in an empty string):
var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite);
cert = new X509Certificate2(certificatePath, "", X509KeyStorageFlags.PersistKeySet);
serviceRuntimeMachineCertificateStore.Add(cert);
serviceRuntimeMachineCertificateStore.Close();
But trying to instanciate the certificate throws a System.Security.Cryptography.CryptographicException "Failed to load certificate: The specified network password is not correct.", even though the private key has no password.
If I import the certificate in the Microsoft Management Console without specifying a password it works great.
Does anybody know how to do this programmatically?
If you try to create an instance of X509Certificate2 with an empty password on Windows XP or Windows 2003, the "Failed to load certificate: The specified network password is not correct." exception will be thrown.
If you can, try to create a certificate with a password which is not empty. Then everything should be fine.
Hopefully this will help somebody (and to expand on uGeeen's answer:
User "S C" points out the following requirement for certificate passwords on Windows XP and Windows Server 2003.
0 < password.Length < 32
I have seen conflicting reports on whether 32 is allowed. I can confirm that I was using a 32 character password (an MD5 hash), and truncating it to 30 characters fixed the issue.
are you doing it from worker process or some other impersonated process? it may be just that the identity your process uses is initialized WITHOUT loading the identity user's profile, what seems to result with no access to the user's cerificate store.
i've had similar problem when loading a x509 cert with private keys from within ASP.Net/IIS proces, and turning on profile-loading for worker processed did the trick
In case anybody has a similar problem: I managed to install the certificate and persist the private key in another fashion. I found the WinHttpCertCfg command line tool that you can get from here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp
I then call this command line tool programmatically to install the certificate. This site gave me a hint on how to use it: weblogs.asp.net/hernandl/archive/2005/02/09/…
Cheers, Chris
Upon installation of a client side certificate, I am getting the exception "Object contains only the public half of a key pair. A private key must also be provided". My application is a VC#.NET application running over an ASP.NET platform. The application also uses WSE 2.0 to import certificates into making SOAP requests.
Upon research, I've found that this exception is of type System.Security.Cryptography.CryptographicException.
I am pretty positive all my WSE settings are configured correctly, since I was able to find a similar certificate by subject-distinguished-name. Any ideas will be greatly appreciated.
I was recently having the same problem. I found one explanation here that worked for me. Specifically, the permissions for the private key. The full info is copied below.
There are a couple things that I would
look at first:
Do you have a private key for this certificate?
Have you given permission for youf application to access the private
key?
You can establish whether you have a
private key by viewing the certificate
through the Windows Certificate Store.
To get to this, follow these steps:
From the Windows Start menu, select Run.
Type mmc in the Open: field. Click OK
Select "Add/Remove Snap-in" from the File menu.
Click the Add button.
Select "Certificates" from the list of Available Standalone Snap-ins.
Click the Add button.
Select "Computer account." Click Next.
Select "Local Computer". Click Finish.
Click Close.
Click OK.
Expand the Certificates node under the Console Root and open the
Personal store.
Double-click the Certificate you're using. If you have a private
key, the dialog will display a message
at the bottom that says "You have a
private key that corresponds to this
certificate".
If you have a private key, then ensure
that your application has permission
to access the key:
Open Windows Explorer.
Navigate to the C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
folder.
Select the files containing the keys that the WSE will need to
retrieve.
From the File menu, select Properties.
On the Security tab, add the ASPNET account and select th e Full
Control option.
Notes:
1. Determining which key file in the MachineKeys folder is
associated with a certificate can be
difficult. One easy method is to note
the creation date and time when
creating a new certificate. When you
view the files in the MachineKeys
directory, check the Date Modified
field for the corresponding date and
time.
2. If you have configured your system to run under a different
account than ASPNET, use that account
when granting permissions to access
the certificate.
As per my experience it could be failing because of two reasons.
Check if your cert has private key available.
If that is .net application then check if you have given permission to cert to make sure your application has permission to access the cert. In my case adding the "iis_iusrs" and given read permission does work for me.
Thanks.
After encountering the same exception: System.Security.Cryptography.CryptographicException, Object contains only the public half of a key pair, I proofed an alternative, but less optimal solution.
Situation: Certificate / key look up worked great inside of Visual Studio IIS Express, but while the Web Application was running under the proper IIS service, I always received the 'Contains only public half of key pair' exception.
I used the WSE3 CertificateTool to locate the private key section on the filesystem and attempted at length to adjust the user permission settings to give the ASP user permissions as per the above answer.
My eventual fix, which was not pretty, was to create a new IIS Application Pool specific to my Web service code and set the user Identity the pool runs as the Local machine owner of the certificate + private key.
The final location I installed the certificate in was "Local Computer / Trusted People".
Using WSE3 CustomPolicyAssertion, C# .NET:
clientToken = X509TokenProvider.CreateToken(StoreLocation.LocalMachine,
StoreName.TrustedPeople, "soap.partnersite.com", X509FindType.FindBySubjectName);
After updating the App Pool Identity, no private key file overrides were necessary when changing the application pool owner.