Re: Finding Certificates for decryption

As it turns out, in the 2nd step, user b, overwrite some fields, such
as serial number, and issuer. Once we got these in sync, we were back
in business. Thus far, we have been using the personal store ("my"),
how to do you specify the root store ?

Thanks, D


On May 20, 1:11 am, lelteto <lelt...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
1. Are you setting CERT_STORE_NO_CRYPT_RELEASE_FLAG flag in
CertSetCertificateContextProperty ? The doc says if not set, the provider
will be released when the cert context released. (Not sure this is an issue -
but don't know for sure.)
2. Which store you are adding to the cert? I assume it's the "Personal", but
you should check that. (By default self-signed certs should go to the root
store.)
3. Another problem may be that the Personal store assumes the cert is signed
and the signing authority's cert should be in the root store.
You may try the following:
- create a self-signed cert #1 and put it into the root store
- create a signed (with #1) cert #2 and put it into the Personal store
- use #2 as now you are using the cert / public key.

Laszlo Elteto
SafeNet, Inc.




"Damik" wrote:
Thanks for the quick reply

Amended user a begining:

CryptAcquireContext

CryptGenKey

CertCreateSelfSignCertificate w/ CERT_CREATE_SELFSIGN_NO_SIGN
CertSetCertificateContextProperty w/ CERT_KEY_PROV_INFO_PROP_ID
CertAddCertificateContextToStore

CryptExportPublicKeyInfo

For CryptAcquireContext, I'm using a unique container name, partially
based on email address and PROV_RSA_FULL & MS_STRONG_PROV

I'm generating both signature and exchange keys, but only dealing with
the exchange key for now.

Thanks, D

On May 19, 12:57 am, lelteto <lelt...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:
Two things:
1. I don't see where you ADD the cert into user a's cert store.
2. You don't tell the parameters of CryptAcquireContext (are you using
default container?) and of CryptGenKey (are you generating AT_KEYEXCHANGE key
pair?)

Laszlo Elteto
SafeNet, Inc.

"Damik" wrote:
I keep getting: 0x8009200c, "Cannot find the certificate and private
key to use for decryption.", when I call CryptDecryptMessage. For the
life of me, I can't seem to get the system to find the certificate,
even though it's basically the only certificate in my system.

Finding Certificates for decryption

I keep getting:

0x8009200c, "Cannot find the certificate and private key to use for
decryption.", when I call CryptDecryptMessage. For the life of me, I
can't seem to get the system to find the certificate, even though it's
basically the only certificate in my system.

Here is my process:

user a:

CryptAcquireContext

CryptGenKey

CertCreateSelfSignCertificate w/ CERT_CREATE_SELFSIGN_NO_SIGN
CertSetCertificateContextProperty w/ CERT_KEY_PROV_INFO_PROP_ID

CryptExportPublicKeyInfo

--> send that key to user b

user b:

verifies user a
puts that key into a x509 certificate
signs the certificate

user c:

requests the certificate from user b

adds it into his store via:

CertAddCertificateContextToStore

then sends a message to user a; by including that certificate into a
call to

CryptEncryptMessage

Everything is fine, the actual binary data seems to have the proper
certificate included.

--> msg sent to user a:

user a:

get the message

calls CryptDecryptMessage with resulting error

Anything obvious amiss here?

I could show you specific code samples as needed, obviously though,
there are different parts being run on different places.

Thanks, D- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • Re: ADFS Token-signing Certs Not in Trusted Root Store
    ... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ...
    (microsoft.public.windows.server.active_directory)
  • Re: Issues with SSL on Win CE 5.0
    ... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ...
    (microsoft.public.windowsce.embedded)
  • Re: Active Directory Federation Services
    ... that is associated with their profile and the machine itself has a store. ... Just wanted to let you know that I got the cert problem fixed. ... the user certificate store. ... FSP was looking for certs in the local ...
    (microsoft.public.windows.server.active_directory)
  • Re: Accessing certificate store from ASP.NET web project
    ... the cert must be in the local computer/personal) store - it will then open ... Have a look at the source code to open the right cert store... ... One of the locations requires a x509 certificate in order ... different user context than my vb.net web project. ...
    (microsoft.public.dotnet.security)
  • Re: Web Certificate for IIS Server on SBS Domain
    ... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
    (microsoft.public.windows.server.sbs)