When using a self-signed Certificate for signing outgoing AS2 messages with BizTalk I get an error
The MIME encoder failed to sign the message because the certificate has private key protection turned on ..."
with a suggestion
please disable private key protection to allow BizTalk to use a certificate for signing.
How do I disable private key protection?
Using Windows Server 2012 R2 and BizTalk Server 2016.
Self-signed certificate created with Powershell New-SelfSignedCertificate.
I just had the same issue and none of the offered solutions (loading user profile, not selecting strong private key protection in import) worked. I finally solved it when I encountered this old link: http://www.semaphoremd.com/2014/05/23/cryptographic-provider-for-digital-certificate-used-by-as2-in-biztalk. Basically the problem is that Biztalk 2016 still relies on ancient .NET 3.5, which lacks support for KSP. Check the certificate:
certutil -p <password> cert.pfx
If it says Provider = Microsoft Software Key Storage Provider then Biztalk will fail and complain about private key protection. Fix it with openssl:
openssl pkcs12 -in my-original-cert.pfx -out temp.pem
openssl pkcs12 -export -in temp.pem -out my-fixed-cert.pfx
Import my-fixed-cert.pfx to the personal certificate store (and if self-signed also import as CA key). Update Biztalk to use the updated certificate and hopefully the problem should be solved.
EDIT:
If you are starting from scratch, specify the old provider instead:
New-SelfSignedCertificate -Provider "Microsoft Strong Cryptographic Provider" ...
When importing the private key, you need to un-tick this option:
Related
I'm having trouble understanding how to get/generate a private key for some certificates I requested.
I've created a CSR using the DigiCert Certificate Utility for Windows, which gave me a csr.txt file as an output but no .key file.
Then I proceeded to request the certificates by inserting the above mentioned CSR in the Certificate Management portal of my company.
Now I have received the p7b files and the related CSRs, but no private keys: is it possible to generate it now?
Thanks in advance,
Tommaso
Use the import function of the DigiCert Certificate Utility for Windows. The key is stored on software in the machine where the CSR was created. After the import the key and the certificate are associated and should be in the Windows certificate Store. If the key was generated with the exportable flag, you can export a PKCS#12 and convert that to a key file using openSSL.
We are using IdentityServer4 and our version loads the signing key from a PFX file in file system or from the windows certificate store. Using the certificate works. The question is - which certificate issuer should be used in production?
Is a certificate from a public CA recommended? Or is it enough to have a self-signed certificate (without a CA at all) such as it can be created with IIS Manager?
In our tests we have found that the client could still validate the signature in the access token, even if the signing certificate would not have a valid CA chain on the client.
In the docs, it says that you can also use raw key material instead of a certificate:
http://docs.identityserver.io/en/latest/topics/crypto.html#token-signing-and-validation
In this scenario there would be no CA chain whatsoever.
That leads me to the assumption, that when the client loads the public signing key (via the HTTP(s) endpoint), the CA chain information might not be passed anyways. Is that right? Through the loading mechanism via HTTPs you also have a combined security mechanism.
So my conclusion is that for the signing credential a self-signed cert is just as safe as one from VeriSign. Can this be confirmed?
There is no certificate involved in signing and verifying the tokens. Only a private and public key (RSA or ECDSA key).
However a certificate can be useful to "import/transport" the keys into .NET. So, because of that we don't care about who issued the certificate.
When importing the key, one approach is to bundle the certificate that holds the public key + the private key and store it in a PKCE#12 file (.pfx/.p12 extension). Then load that file into .NET. Before .NET 5 working with keys was a bit hard.
The more important thing is that you can manage and deploy the private key in a secure way and that it is persisted over time.
Optionally, you can add support for key-rotation.
I have a Code Signing Certificate but it looks like I can't use it for Microsoft ClickOnce. It looks like ClickOnce requires the certificate to be an Authenticode Certificate. How can I tell that a (code signing) certificate is indeed an Authenticode Certificate?
The only EKU that ClickOnce checks for (as far as I can tell) is id-kp-codeSign (1.3.6.1.5.5.7.3.3). You also need DigitalSignature as a (non-extended) Key Usage. And, of course, a way of getting at the private key.
I apologize if this has been answered elsewhere, but I couldn't find anything that quite fit what I'm trying to do here.
I have a CA set up already on a Linux server, and I use it for creating OpenVPN certs. I want to utilize this existing infrastructure if I can.
What I intend to do, is create the signing certificate on my Linux server using easy-rsa, import that into a Server 2012 R2 environment, and sign it from there. After that, I'd import the necessary certs on the servers I'm deploying my scripts to.
Is this possible? Are there limits to the key size? What algorithms can I use? Is EC supported? If so, which curves?
All the literature I've come across talks about creating the CA on a Windows Server, so I'm at a bit of a loss here.
It took 3 years and I asked the same question, and the answer is - Yes!
Requirements: easy-rsa, openssl
Step 1: Generate RSA private key.
openssl genrsa -out MySPC.key
Step 2: Make certificate request.
openssl req -new -key MySPC.key -out MySPC.req
Step 3: Import certificate request to easyrsa.
easyrsa import-req MySPC.req MySPC
Step 4: Sign certificate request, and make SPC certificate.
easyrsa sign-req code-signing MySPC
Step 5: Make PFX.
openssl pkcs12 -export -out MySPC.pfx -inkey MySPC.key -in MySPC.crt -certfile MyCA.crt
Last step: Import PFX file to Windows Keystore.
Import PFX file to Trusted Publishers Certificate Store.
Now you can use this certificate to sign your powershell scripts and other executables!
I'm new to the certificates, and this is a first time I bought it.
I generated CSR file (in IIS) and bought certificate using GoDaddy web site. They sent me two files: P7B and CRT. Since I will use the certificate for Azure Web role, I need PFX. How can I create it using only CSR, P7B, and CRT?
Finally I managed to do that. In IIS I selected Complete Certificate Request, installed the CRT certificate, and then used Export option to save it as PFX.
Since I will use the certificate for Azure Web role, I need PFX
Although my target server is Nancy, I'm posting the answer because it's relevant to the process of generating a PFX cert.
A Nancy-based project required a trusted cert. I found procedures to setup a self-signed using a PFX cert, Enabling SSL for Self Hosted Nancy, but it wasn't obvious how to proceed with GoDaddy certs. Digging around, I found an answer at a commercial SSL site.
So I created the CSR using OpenSSL, ordered and fetched my cert package from GoDaddy, and then managed to generate a PFX also using OpenSSL as described below.
As a side note for Nancy, I installed the PFX locally using the following
c:> certutil -importPFX certname.pfx
described here # https://stackoverflow.com/a/33351095/241296
Maybe it's possible to completely bypass local IIS for the Azure PFX requirements.
Create a .pfx/.p12 certificate file using OpenSSL # ssl.com
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more.crt
Breaking down the command:
openssl – the command for executing OpenSSL
pkcs12 – the file utility for PKCS#12 files in OpenSSL
-export -out certificate.pfx – export and save the PFX file as certificate.pfx
-inkey privateKey.key – use the private key file privateKey.key as the private key to combine with the certificate.
-in certificate.crt – use certificate.crt as the certificate the private key will be combined with.
-certfile more.crt – This is optional, this is if you have any additional certificates you would like to include in the PFX file.
I used the -certfile option to specify the GoDaddy bundle:
openssl pkcs12 -export -out my.pfx -inkey my.key -in my.crt -certfile gd_bundle-g2-g1.crt
You can follow the steps provided on the support for installing SSL certificate.
Extracts from the above link.
Important Note: : To export the certificate in .pfx format you need to follow the steps on the same machine from which you have requested the certificate.