Showing posts with label SSL. Show all posts
Showing posts with label SSL. Show all posts

Thursday, July 14, 2016

Keyset does not exist

Problem:

I have some code that makes a call to an external web service that is secured using X.509 certification.  If I call the service using the application pool set to Local service then it executes.


When I set the app pool to use a domain account domain\svc.account the webservice fails with the error: Keyset does not exist.


Solution:

This certificate is installed correctly but the domain account needs to be granted permissions to that certificate.  This will allow the service account to access the private key attached to the certificate.


  1. Start -> Run -> MMC
  2. File -> Add/Remove Snapin
  3. Add the Certificates Snap In
  4. Select Computer Account, then hit next
  5. Select Local Computer (the default), then click Finish
  6. On the left panel from Console Root, navigate to Certificates (Local Computer) -> Personal -> Certificates
  7. Your certificate will most likely be here.
  8. Right click on your certificate -> All Tasks -> Manage Private Keys



       9.Add you service account to the access list.  It will need a minimum of read permissions.




      10.It is possible that you may be required to add the local IIS_USRS group to the access list.  Grant it read permissions.

Source

Posted by at No comments:
Labels: , , ,

Thursday, October 29, 2015

IIS private key export as base64 cert.

Problem:

I was trying to export an SSL public/private key from IIS.  This will export only as a pfx.  I needed it as a base64 encoded file.  This often happens with proxy servers which host a front end.  They don't seem to like pfx since they all tend to run Linux.

Solution:

Create a console application and programmatically create the cert file.

  m_X509CertificateThumbprint = Regex.Replace(rawThumbprintString, @"[^\u0000-\u007F]", string.Empty);
            m_X509CertificateThumbprint = rawThumbprintString.Replace("\u200e", string.Empty).Replace("\u200f", string.Empty).Replace(" ", string.Empty);
            var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
            store.Open(OpenFlags.ReadOnly);

            //var certificate = store.Certificates.Find(X509FindType.FindByThumbprint,
            //    "‎69c04af8588ec65762de96ddd51d78fa6e47c692", false)[0]; // doesn't matter how you get the cert
            var cert = store.Certificates.Find(X509FindType.FindByThumbprint, m_X509CertificateThumbprint, true);
            if(cert.Count > 0)
            {
                X509Certificate2 full = cert[0];
                Console.WriteLine(full.FriendlyName);
                var exported = full.Export(X509ContentType.Pfx, "1qaz@WSX");
                var base64 = Convert.ToBase64String(exported);
                System.IO.File.WriteAllText(@"C:\viper\aeitt.cer.txt", base64);


            }

            store.Close();

Source:
http://stackoverflow.com/questions/8863785/how-to-get-the-base-64-encoded-value-of-a-certificate-with-private-key
http://stackoverflow.com/questions/11115511/how-to-find-certificate-by-its-thumbprint-in-c-sharp
Posted by at No comments:
Labels: , , , ,

Wednesday, June 3, 2015

DISA PKI and PKE Tools

This tool allows users to install DoD production PKI, Joint Interoperability Test Command (JITC) test PKI, and External Certification Authority (ECA) CA certificates into their Windows and Firefox certificate stores. InstallRoot 4.1 is packaged with a command line version as well as an InstallRoot service, which can check for updated Trust Anchor Management Protocol (TAMP) messages that contain the latest certificate information from DoD. The following operating systems are supported: Windows XP, Windows Vista, Windows 7, Windows 8 and 8.1, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.



Source:
http://iase.disa.mil/pki-pke/Pages/tools.aspx
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)