Re: CRYPT_MACHINE_KEYSET and access to the private key

From: PEACEMAKER (do.not.email_at_yo.mamas.hairy.ass.com)
Date: 11/22/04

Next message: Steve Friedl [MVP]: "RE: Where are NTFS perms stored?"
Previous message: vhad: "How to disable default windows password filter"
In reply to: PEACEMAKER: "Re: CRYPT_MACHINE_KEYSET and access to the private key"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 21 Nov 2004 19:57:13 -0500

Well I've narrowed it down to the CSP, Schannel probably does not like any
of the ones listed in the CryptAcquireContext() function documentation. I've
also seen discussions on google mentioning this, even some suggest
passing -sy 12 to the makecert.exe certificate application to create an
SCHANNEL compatible certificate. I've tried PROV_RSA_SCHANNEL, PROV_RSA_FULL
(and associated providers) with no success. The certificate itself is fine,
it can encrypt/decrypt and sign in with no problems. Just won't work with
schannel.

"PEACEMAKER" <do.not.email@yo.mamas.hairy.ass.com> wrote in message
news:e67dz05zEHA.2040@tk2msftngp13.phx.gbl...
>I fixed it, however the certificate still fails work with schannel (for
>ssl/tls, "The credentials supplied to the package were not recognized").
>
> I also tried using CertCreateSelfSignCertificate() but the resulting
> certificate suffers from the same schannel usage difficulties mentioned
> above.
>
> It seems like AcquireCredentialsHandle does not recognize the credentials
> or is missing some info from the certificate itself
>
>
> "PEACEMAKER" <do.not.email@yo.mamas.hairy.ass.com> wrote in message
> news:OaF2SS2zEHA.3840@tk2msftngp13.phx.gbl...
>>I create a certificate and specify a CRYPT_MACHINE_KEYSET to
>>CryptAcquireContext.
>>
>> After setting everything up and signing and encoding the certificate I
>> use CreateCertContext() to extract the ceritificate context. I then link
>> the certificate to the private key using
>>
>> CertSetCertificateContextProperty(pCertCtx,CERT_KEY_PROV_INFO_PROP_ID,CERT_STORE_NO_CRYPT_RELEASE_FLAG,&keyinfo)
>>
>> and
>>
>> CertSetCertificateContextProperty(pCertCtx,CERT_KEY_CONTEXT_PROP_ID,CERT_STORE_NO_CRYPT_RELEASE_FLAG,&certkctx)
>>
>> after this, I open the system certificate store and save the certificate
>> context.
>>
>>
>> PROBLEM: The certificate is valid but access to the private key is not.
>>
>> When I use it with SCHANNEL I get: "The credentials supplied to the
>> package were not recognized"
>>
>> when I view it with winhttpcertcfg it says
>>
>> "Matching certificate:
>> C=US
>> S=New York
>> L=New York
>> OU=north america
>> O=earth
>> E=a@b.c
>> CN=hostname_or_ipaddress
>>
>> Error: Access was not successfully obtained for the private key.
>> This can only be done by the user who installed the certificate."
>>
>>
>> THE FIX is to use the function
>>
>> CryptFindCertificateKeyProvInfo(pCertCtx,CRYPT_FIND_MACHINE_KEYSET_FLAG,NULL)
>>
>> This call throws a few first chance exceptions and magically "fixes" the
>> certificate. SCHANNEL suddenly works and winhttpcertcfg returns
>>
>> "Matching certificate:
>> C=US
>> S=New York
>> L=New York
>> OU=north america
>> O=earth
>> E=a@b.c
>> CN=hostname_or_ipaddress
>>
>> Additional accounts and groups with access to the private key include:
>> NT AUTHORITY\SYSTEM
>> BUILTIN\Administrators"
>>
>> I would like to know why CryptFindCertificateKeyProvInfo() makes the
>> certificate valid. Did I miss something while creating the certificate?
>> Do I have to do something else other than setting the certificate
>> properties? Should I manually add ACL for the SYSTEM and Administrators
>> account?
>>
>> The reason I can't use CryptFindCertificateKeyProvInfo() is that it takes
>> a long time (5mins) on a fully patched win2k3 server and 0seconds on
>> win2k,xp(sp2) and an unpatched win2k3 server.
>>
>
>

Next message: Steve Friedl [MVP]: "RE: Where are NTFS perms stored?"
Previous message: vhad: "How to disable default windows password filter"
In reply to: PEACEMAKER: "Re: CRYPT_MACHINE_KEYSET and access to the private key"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: InitializeSecurityContext returns SEC_E_UNSUPPORTED_FUNCTION on XP??
... My guess is that you're passing in bad flags, and that's why it's failing. ... validate the received server certificate. ... 0, // reserved, must be 0 for Schannel ...
(microsoft.public.platformsdk.security)
RE: Event ID: 36870 - Schannel / cryptographic module
... If the certificate is not considered valid by the schannel provider, ... Please determine if the certificate is failing validation checking by using ... certutil from Windows Server 2003 and correct the issues that certutil ...
(microsoft.public.windows.server.general)
Re: Secure LDAP
... The certificate received from the remote server has not validated correctly. ... >>I know absolutely nothing about Novell LDAP, so I can't help you there. ... >>libraries) goes through the MS LDAP API and Schannel for SSL. ...
(microsoft.public.windows.server.active_directory)
Re: InitializeSecurityContext returns SEC_E_UNSUPPORTED_FUNCTION on XP??
... parameters you are passing into the function, ... 0, // reserved, must be 0 for Schannel ... where credData points at a certificate that comes from an in-memory ... The .p12 contains ...
(microsoft.public.platformsdk.security)
Re: Event ID: 36870 - Schannel / cryptographic module
... The certificate is valid, it doesn't expire until 2008, and is hasn't be ... I'm trying to use the certutil to check the certificate/crl setting, ... 'The RPC server is unavailable' I don't know if this is an error with the ... If the certificate is not considered valid by the schannel provider, ...
(microsoft.public.windows.server.general)