Can't create a key of the Subject <'MyCAContainerName'> - certificate

using makecert i have written the commade:
makecert -pe -n "CN=Myauthority" -sr localmachine -ss Root -a sha256 -cy authority -r -sk MyCAContainerName -sky exchange -sp "Microsoft RSA Schannel Cryptographic Provider " -sy 12 -len 2048 certif.cer;
i recieved an error
Error: Can't create the key of the Subject <'MyCAContainerName'>
In seeking the solution, I discovered that the problem arises because I did not Authorizations on machineKey file : (C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys ), the
following link explains better what I'm saying;
http://support.microsoft.com/kb/278381
I followed the same procedures in order to have enough permissions to the a machine key, but the problem is always posed

It seems that Can't create the key of the subject is a fairly generic error, however, what follows after it may give a clue.
While it may be caused by permissions errors (e.g. makecert.exe error: Can't create the key of the subject), I have also seen the error of the form Can't create the key of the subject ('<some guid>') caused by an incorrect parameter to the -sp argument.
In your case, Error: Can't create the key of the Subject <'MyCAContainerName'> would make me guess that there is something wrong with the -sk MyCAContainerName portion of the command, but the upshot is, if it is not something with permissions, than it is likely an incorrect command argument or combination of arguments.

Master,
I Ran on the same error. I solved it running command prompt as an administrator user.
MV

Its late but I have the solution to this. First execute the command as you are, it will give the error Error: Can't create the key of the Subject <'MyCAContainerName'>. But it will create a .pvk file. Don't delete it. Instead execute the command again, but this time remove -sk MyCAContainerName from the command. And it will create your certificate.

In my case the C drive did not have enough space. I cleared some unwanted files and folders and it worked.

Related

SSH Key - How can I add a new key to github?

I'm attempting to add pbcopy < ~/.ssh/id_rsa.pub in GitHub but this is the error message I'm getting: Key is invalid. You must supply a key in OpenSSH public key format.
Any suggestions on how I can add this? I've googles several different commands.
Thanks in advance!
libsecp256k1-static/stable 20200902-1 arm
Static libraries for libsecp256k1
Try to go to the file destination (~/.ssh/id_rsa.pub) and copy past it into GitHub. Follow steps 1, 2 & 3 to get to where you want to paste it. After Copy pasting use command (in Git Bash) ssh -t git#github.com to authenticate.
For Windows users, there are two things to consider
your console should parse quotation and double quotation in the right order.
curl needs quotation for JSON properties and keys.
So how can we debug it:
Add "-v --trace-ascii -" to the curl command to see log for command.
Use echo or write-host for your data in cmd or PowerShell
It is so important to make sure that curl receives valid JSON data.
See an example for Windows PowerShell here

Can’t use Mozilla’s cert9.db with certutil.exe

The following command: certutil.exe -L -d “C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\1bku2z91.default-1633392324717\”
returns this error message: certutil.exe: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
I tried with and without quotes, changed backslash to forward slash. I found comments that the destination folder has to include secmod.db, which my folder does not but I think this applied to cert8.db, not cert9.db. I am passing the right folder as per about:support lookup. My Firefox version is 66.0.3
you need to add "sql:" before the location of the folder to specify that is a sqlite db that you are trying to read so it would be:
certutil.exe -L -d sql:“C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\1bku2z91.default-1633392324717\”

Why my certificate can't be used for PowerShell code signing?

Windows 7 x64, PowerShell 4.0.
I am beginner in the working with the digital signatures, therefore I read these articles before:
https://technet.microsoft.com/en-us/magazine/2008.04.powershell.aspx
https://msdn.microsoft.com/en-us/library/bfsktky3%28v=vs.100%29.aspx
https://msdn.microsoft.com/en-us/library/f5cs0acs%28v=vs.100%29.aspx
I need to sign my PowerShell scripts. These scripts are to be accessible by all users of our Windows domain. But at first I want to learn to do it on my computer.
I set execution policy to the AllSigned value (with admin rights):
Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy AllSigned
According Don Jones article I created my own certificate (through the Developer Command Prompt for VS2015 [i.e. through the cmd.exe], with admin rights):
cd c:\temp
makecert -n "CN=Andrey Bushman" -a md5 -r -sv Andrey.Bushman.pvk -ss Root -sr localMachine Andrey.Bushman.cer
I got the Andrey.Bushman.cer and Andrey.Bushman.pvk files in my current directory. The first of them has 1 kb size, and the second of them has 2 kb size. So, I see the private key size is more than size of certificate.
Question #1
Does it mean that my certificate don't include the copy of my private key?
Now I see new item in the certificate store:
PS Cert:\LocalMachine\Root> Get-ChildItem | where -Property Issuer -EQ "CN=Andrey Bushman"
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root
Thumbprint Subject
---------- -------
CF26A00BB7C8EB2B1EA66CA307C4B5025F636F9A CN=Andrey Bushman
Then Don Jones did it:
makecert -pe -n "CN=MyCertificate" -ss MY
–a sh1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk
–c root.cer
Question #2
Why he did it? Before he did it we already have our certificate in the cert:LocalMachine\Root storage.
By analogy I did it for my case:
makecert -pe -n "CN=Andrey Bushman" -ss MY -a md5 -iv Andrey.Bushman.pvk -ic Andrey.Bushman.cer
But I get nothing when I launch this:
gci cert:\CurrentUser\My -codesigning
Without the -codesigning flag I get this:
PS C:\temp> gci cert:\CurrentUser\My
Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
8F0D753ACA7F6631C3D967921BD06E158E1AB1AF CN=Andrey Bushman
Question #3
Why I get nothing when I use the -codesigning flag?
Ok I try to sign some file and get the problem:
PS C:\temp> $cert = #(gci cert:\CurrentUser\My)[0]
PS C:\temp> Set-AuthenticodeSignature -FilePath .\123.ps1 -Certificate $cert
Set-AuthenticodeSignature : It isn't possible to sign the code. The specified certificate isn't suitable for the code signing
а.
line:1 char:1
+ Set-AuthenticodeSignature -FilePath .\123.ps1 -Certificate $cert
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AuthenticodeSignature], PSArgumentException
+ FullyQualifiedErrorId : Argument,Microsoft.PowerShell.Commands.SetAuthenticodeSignatureCommand
Question #4
How can I make my certificate suitable for the code signing?
UPD
I can't ask my question here, because I can't register on that site (I have nothing to my email). I wrote the letters to email of support team but they answer never. I tried to do it some years ago and I tried to do it some days ago again, but I get the same result.
Q1: Does it mean that my certificate don't include the copy of my private key?
A1: Yes. Certificates can be swapped around because they don't include the private key. The private key typically only exists on one computer, with a backup copy archived in a secure location. Anyone that gets access to the private key can sign anything they want and it looks just like you did it. (A more complete answer to this question is outside the typical scope of Stack Overflow, but there are many good resources available on PKI.)
Q2: Why he did it?
Q3: Why I get nothing when I use the -codesigning flag?
A2/A3: The first time he ran makecert, he created the root certificate. A root certificate is specifically for issuing other certificates, which is why it does not show up as a code signing certificate. This second time, he is making the actual certificate. The -eku option specifies the certificate options to use, which can be anything from a root certificate, code signing certificate, or digital signature, to more advanced things like data encryption or client authentication.
Q4: How can I make my certificate suitable for the code signing?
A4: I don't have a lot of experience with makecert.exe, as my company has a contract with Cybertrust such that I can generate as many certificates as I need without worrying about the cost for each one. (Yes, it's a nice luxury.) This means I can't answer questions on makecert.exe, its syntax, or the -eku options to use.
In many ways, makecert is doing a lot of things for you behind the scenes, but the basic things you need are the same:
You have to generate a public / private key pair.
You have to create a certificate request that specifies "code signing".
You have to use the private key to sign your certificate request.
The certificate authority uses that request to generate the certificate.
The generated certificate can only be installed using the private key that signed the request.
Once you have the certificate installed, it will show up using the -codesigning option and will be usable by Set-AuthenticodeSignature.
I would suggest using the makecert documentation and other digital certificate resources to find the right options, but based on my quick glance at the links you posted, it appears you have the majority of the information you need. Having done digital certificates for many years now, it appears to me that the biggest thing that will help you is to get more familiar with how Public Key Infrastructure (PKI) works, especially with regards to how a certificate chain works and is verified. It takes time to get it all down, and code signing in Powershell is not the easiest place to start, but if you're going to do a lot of it, it's worth the time investment.

Decryption with gpg

gpg --output C:\ecshome\mboxes\store\20150410_030846_1_0001_6pik.msg.
asc --passphrase abcd. --no-default-keyring --decrypt C:\ecshome\mboxes\store\20150410_030846_1_0001_6pik.msg
When I try to decrypt an email message by using gpg from the command prompt, it works. But when I try to decrypt the same with a Perl script by using external command, it shows the "Secret key not available" error (On Windows).
You haven't shown us the way you quote that command in perl, but allow me guess that you haven't taken into account the fact that the backslash is both the Windows directory seperator and the Perl string escape. You should be aware that "\e", the 3rd character in your --output & --decrypt paths, is the character (ESC). The sequences "\m" and "\s" interpolate to 'm' and 's' respectively.
Possible solutions include either delimiting the string with q()/single quotes or doubling up the backslashes in qq()/qx()/double quotes/back quotes.
The problem was with pubkey ring. Apparently its stored for each user under their application data directory if you don't mention any home directory specifically at time of installation. If you execute from Command prompt it will directly take from the present user's applicatin data but from perl it wont check there.U have to specifically Configure GNUPGHOME to that folder (application data) then run the perl script.

Certutil -restrict Error The system cannot find the file specified

I am trying to get the certificates which are valid within the given date range:-
certutil –view –restrict "NotAfter<=July 31,2013 08:00AM,NotAfter>=July 20,2013 08:00AM" –out "RequestID,RequesterName"
Reference :- http://blogs.technet.com/b/pki/archive/2008/04/24/how-to-determine-all-certificates-that-will-expire-within-30-days.aspx
I get the following error :-
CertUtil: The system cannot find the file specified.
Any help is appreciated.
I was facing the similar kind of problem where while adding the certificate to store using command CertUtil -addStore Mykey.cer was getting the error that
CertUtil: The system cannot find the file specified.
The problem was that is unable to locate the certificate or import it. So to resolve this i followed following things in (Administrator command prompt):--
1.Used ss -root in the end of MakeCert command .
2.Run the CertUtil command from the same location where i runned the makeCert command.