ASP.NET Certificate Hell - 1024 bit? PFX linked to CSP?

From: Chris L. (clintved_at_isdh.state.in.us)
Date: 10/02/04 

Date: Fri, 1 Oct 2004 17:26:38 -0500

Two questions.

1. Can you not create a 1024 bit certificate with makecert on a Windows 2000
server machine? I tried adding the parameter -sp "Microsoft Enhanced
Cryptographic Provider 1.0", but I get the following error "Can't create the
key of the subject ('CN=myname')".
Then I try the trick where you create a keypair with the RSAProvider
programmatically, then use makecert with the same keystore name, but I get
the same error. It seems like a permissions type error preventing me from
linking up to a 1024bit key. So, anyway to create a 1024 bit key on a Win
2000 server machine without getting that error message (not creating
elsewhere then importing via PFX, that still programatic..see next
question)?

2. If the above is not possible, my question is if I create the 1024bit
certificate on another machine, then export with the private key and then
import on the target server, will the importing action create and link the
certificate to the key container? I used CAPICOM to observe what container
name was that it retrieved from the certificate (as all CAPICOM really
allows you to do is get the container name via the CN Subject and cert
keystore) and the name that's returned is a long GUID number similar to
this: {f69c2cf9-4gaa-48d8-9b36-8f43a53a5574}....not what the original
container name, as specificed by the -sk parameter with makecert, was. So it
doesn't appear to be linking the certificate with the keystore properly. Can
anyone verify this?

Thanks,

Chris

Relevant Pages

  • Error: Failed to aquire a security provider from the issuers certificate
    ... Can I generating a certificate for a client/server machine from a ... certificate generated from a CA using makecert. ... I have a server machine with Certificate Services which generated a ...
    (microsoft.public.platformsdk.security)
  • Re: cxertificates on smart card
    ... the certificate you are looking for may already be in MyStore. ... are you saying that the first call to CryptGetKeyParam ... If you are sure that there is a certificate for this key in this container, ... >>> smart card. ...
    (microsoft.public.platformsdk.security)
  • Re: LDAP over Secure Sockets Layer (SSL) will be unavailable at this t
    ... I've seen this error previously with ADAM that happened as a result of having a certificate deployed in multiple containers but with only one of them associated with the certificate's private key and that not being a container that the server account had access to. ...
    (microsoft.public.windows.server.active_directory)
  • Re: RSA Encryption without Session Keys - (I know its a bad idea)
    ... CryptAcquireContext. ... container which is gone when you call CryptReleaseContext, ... "Mounir IDRASSI" wrote: ... If you want to do encryption, you certainly have only the certificate ...
    (microsoft.public.platformsdk.security)
  • Re: makecert: why only test certificates?
    ... it does not depend upon the way (CA or makecert) ... the certificate, so distribution is not an issue, either. ... not a legal reason. ... >the cert as trusted. ...
    (microsoft.public.inetserver.iis.security)