Re: Finding Certificates for decryption

---

• From: lelteto <lelteto@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 24 May 2007 09:06:00 -0700

---

To open the root cert store you can use CertOpenystemStore (ROOT)

Laszlo Elteto
SafeNet, Inc.

"Damik" wrote:

As it turns out, in the 2nd step, user b, overwrite some fields, such
as serial number, and issuer. Once we got these in sync, we were back
in business. Thus far, we have been using the personal store ("my"),
how to do you specify the root store ?

Thanks, D


On May 20, 1:11 am, lelteto <lelt...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

1. Are you setting CERT_STORE_NO_CRYPT_RELEASE_FLAG flag in
CertSetCertificateContextProperty ? The doc says if not set, the provider
will be released when the cert context released. (Not sure this is an issue -
but don't know for sure.)
2. Which store you are adding to the cert? I assume it's the "Personal", but
you should check that. (By default self-signed certs should go to the root
store.)
3. Another problem may be that the Personal store assumes the cert is signed
and the signing authority's cert should be in the root store.
You may try the following:
- create a self-signed cert #1 and put it into the root store
- create a signed (with #1) cert #2 and put it into the Personal store
- use #2 as now you are using the cert / public key.

Laszlo Elteto
SafeNet, Inc.

"Damik" wrote:

Thanks for the quick reply

Amended user a begining:

CryptAcquireContext

CryptGenKey

CertCreateSelfSignCertificate w/ CERT_CREATE_SELFSIGN_NO_SIGN
CertSetCertificateContextProperty w/ CERT_KEY_PROV_INFO_PROP_ID
CertAddCertificateContextToStore

CryptExportPublicKeyInfo

For CryptAcquireContext, I'm using a unique container name, partially
based on email address and PROV_RSA_FULL & MS_STRONG_PROV

I'm generating both signature and exchange keys, but only dealing with
the exchange key for now.

Thanks, D

On May 19, 12:57 am, lelteto <lelt...@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote:

Two things:
1. I don't see where you ADD the cert into user a's cert store.
2. You don't tell the parameters of CryptAcquireContext (are you using
default container?) and of CryptGenKey (are you generating AT_KEYEXCHANGE key
pair?)

Laszlo Elteto
SafeNet, Inc.

"Damik" wrote:

I keep getting: 0x8009200c, "Cannot find the certificate and private
key to use for decryption.", when I call CryptDecryptMessage. For the
life of me, I can't seem to get the system to find the certificate,
even though it's basically the only certificate in my system.

Finding Certificates for decryption

I keep getting:

0x8009200c, "Cannot find the certificate and private key to use for
decryption.", when I call CryptDecryptMessage. For the life of me, I
can't seem to get the system to find the certificate, even though it's
basically the only certificate in my system.

Here is my process:

user a:

CryptAcquireContext

CryptGenKey

CertCreateSelfSignCertificate w/ CERT_CREATE_SELFSIGN_NO_SIGN
CertSetCertificateContextProperty w/ CERT_KEY_PROV_INFO_PROP_ID

CryptExportPublicKeyInfo

--> send that key to user b

user b:

verifies user a
puts that key into a x509 certificate
signs the certificate

user c:

requests the certificate from user b

adds it into his store via:

CertAddCertificateContextToStore

then sends a message to user a; by including that certificate into a
call to

CryptEncryptMessage

Everything is fine, the actual binary data seems to have the proper
certificate included.

--> msg sent to user a:

user a:

get the message

calls CryptDecryptMessage with resulting error

Anything obvious amiss here?

I could show you specific code samples as needed, obviously though,
there are different parts being run on different places.

Thanks, D- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -

.

---

• References:
  • RE: Finding Certificates for decryption
    • From: lelteto
  • Re: Finding Certificates for decryption
    • From: lelteto
  • Re: Finding Certificates for decryption
    • From: Damik

• Prev by Date: Calling RasEapInvokeConfigUI causes Data Abort
• Next by Date: PKCS#7 How do I get X509 certificates in C++ CAPI
• Previous by thread: Re: Finding Certificates for decryption
• Next by thread: Launching a process with specified credentials failed
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Accessing certificate store from ASP.NET web project ... the cert must be in the local computer/personal) store - it will then open ... Have a look at the source code to open the right cert store... ... One of the locations requires a x509 certificate in order ... different user context than my vb.net web project. ... (microsoft.public.dotnet.security) Re: Active Directory Federation Services ... that is associated with their profile and the machine itself has a store. ... Just wanted to let you know that I got the cert problem fixed. ... the user certificate store. ... FSP was looking for certs in the local ... (microsoft.public.windows.server.active_directory) Re: Issues with SSL on Win CE 5.0 ... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ... (microsoft.public.windowsce.embedded) Re: Issues with SSL on Win CE 5.0 ... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ... (microsoft.public.windowsce.embedded) Re: Newbie wants to learn about PKI Server 2003...... ... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ... (microsoft.public.windows.server.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)