Re: SOLVED! cause: cut&paste of certs in the mmc certs snap in does not include private keys!
From: Steve Cartwright [MSFT] (scart@online.microsoft.com)
Date: 04/23/03
- Next message: antgel: "Re: Antivirus / firewall"
- Previous message: Steve Cartwright [MSFT]: "Re: ipsec lan: IKE: no private key found, ideas?"
- In reply to: Mark Swift [MSFT]: "Re: SOLVED! cause: cut&paste of certs in the mmc certs snap in does not include private keys!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steve Cartwright [MSFT]" <scart@online.microsoft.com> Date: Tue, 22 Apr 2003 15:09:10 -0700
Hi Flipper, I checked for you for the technical reason on this
The certificate is associated with its private key through a certificate
property. The property contains information about how to find the key. Keys
are stored in separate locations per user, and also separately for the
machine. When acquiring the key, one must pass a flag (which is also present
in the property) that specifies whether to acquire a key in the user or the
machine context.
When one just copies the certificate from a store in the user context to a
store in the machine context, the key property is also simply copied along
with the certificate. The key is not copied from the user location to a
machine location, neither is the property altered - it still points to the
key in the user location.
The "you have a private key for this certificate" message that you got when
moving the cert from user context to machine context is expected, because it
simply indicates the property is present. No check is actually done to
verify the key exists.
Applications running in the machine context don't have access to the user's
private keys, only to private keys stored in machine context. Hence, an
application running in the machine context, attempting to use that
certificate that was copied in the way specified below, will fail to acquire
the private key associated with that certificate.
Hope this explanation helps somewhat for the trouble you had with this.
-- Stephen Cartwright [MSFT] Microsoft Corporation ---------------------------------------------------------------------------- This posting is provided "AS IS" with no warranties, and confers no rights --------------------------------------------------------- "Mark Swift [MSFT]" <mswift@online.microsoft.com> wrote in message news:eA4h3neBDHA.2264@TK2MSFTNGP12.phx.gbl... > I will pass on your comments, glad you solved it :) > > -- > Mark Swift > Microsoft/Windows/Networking/Secure Network Services/IP Security > Software Test Engineer > > -------------------------------------------------------------------------- -- > --------------------------------------- > This posting is provided "AS IS" with no warranties, and confers no rights. > Use of included script samples are subject to the terms specified at > http://www.microsoft.com/info/cpyright.htm" > -------------------------------------------------------------------------- -- > --------------------------------------- > > > > "flipper" <flipper@gmx.de> wrote in message > news:b7nrih$frq$02$1@news.t-online.com... > > hi, > > > > i just solved it. > > always verify if theres an entry for the certificates private key in > > C:\Dokumente und Einstellungen\All > > Users\Anwendungsdaten\Microsoft\Crypto\RSA\MachineKeys, then you can be > > sure. > > Look for a matching datestamp. > > > > @Microsoft Team: > > Thanks for Your comments, but please get this issue fixed in sp's. After > c&p > > from user store to machine store the cert manager should NO LONGER display > > the message "you have a private key for this certificate", please mention > > this in the papers explicitly too. > > > > Thx ALL, > > CYa > > > > > > "flipper" <flipper@gmx.de> schrieb im Newsbeitrag > > news:b7im0o$rve$02$1@news.t-online.com... > > > oh jeh, mit zertifikatseinsatz funzts aber gar nicht, > > > BITTE ALLE MITHELFEN: > > > > > > so sieht das debug log oakley.log aus (konfig, siehe ms-anleitung, auch > > auf > > > deutsch da) > > > habs mit allen möglichen zertifikatsquellen versucht, immer dasselbe: > > > > > > peer1: > > > > > > 4-16: 04:57:25:805:9c4 Receive: (get) SA = 0x000fb490 from 192.168.2.101 > > > 4-16: 04:57:25:805:9c4 ISAKMP Header: (V1.0), len = 1556 > > > 4-16: 04:57:25:805:9c4 I-COOKIE 3ccdc554cc3dc04d > > > 4-16: 04:57:25:805:9c4 R-COOKIE 95cb0109e456387d > > > 4-16: 04:57:25:805:9c4 exchange: Oakley Main Mode > > > 4-16: 04:57:25:805:9c4 flags: 1 ( encrypted ) > > > 4-16: 04:57:25:805:9c4 next payload: ID > > > 4-16: 04:57:25:805:9c4 message ID: 00000000 > > > 4-16: 04:57:25:805:9c4 processing payload ID > > > 4-16: 04:57:25:805:9c4 processing payload CERT > > > 4-16: 04:57:25:805:9c4 processing payload CRP > > > 4-16: 04:57:25:805:9c4 C=DE, O=za, OU=za, CN=za > > > 4-16: 04:57:25:805:9c4 processing payload SIG > > > 4-16: 04:57:25:805:9c4 Verifying CertStore > > > 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=z2 > > > 4-16: 04:57:25:805:9c4 Cert Serialnumber 0300000000000567b711 > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > dfe07769ade3821f546afbaa5225bab0 > > > 4-16: 04:57:25:805:9c4 a9bee86d > > > 4-16: 04:57:25:805:9c4 Cert Trustes. 0 100 > > > 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=z2 > > > 4-16: 04:57:25:805:9c4 Cert Serialnumber 0300000000000567b711 > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > dfe07769ade3821f546afbaa5225bab0 > > > 4-16: 04:57:25:805:9c4 a9bee86d > > > 4-16: 04:57:25:805:9c4 SubjectName: C=DE, O=za, OU=za, CN=za > > > 4-16: 04:57:25:805:9c4 Cert Serialnumber > 8f5c036b7419284c8ff4d2b070e12c49 > > > 4-16: 04:57:25:805:9c4 > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > 0269aeec2d0b6d52bb73c3e6bf919028 > > > 4-16: 04:57:25:805:9c4 b2b9eb19 > > > 4-16: 04:57:25:805:9c4 Cert SHA Thumbprint > > dfe07769ade3821f546afbaa5225bab0 > > > 4-16: 04:57:25:805:9c4 a9bee86d > > > 4-16: 04:57:25:805:9c4 Entered CRL check > > > 4-16: 04:57:31:934:9c4 Left CRL check > > > 4-16: 04:57:31:934:9c4 Signature validated > > > > > > 4-16: 04:57:31:934:9c4 constructing ISAKMP Header > > > 4-16: 04:57:31:934:9c4 constructing ID > > > 4-16: 04:57:31:934:9c4 Looking for IPSec only cert > > > 4-16: 04:57:31:934:9c4 Cert Trustes. 0 100 > > > 4-16: 04:57:31:934:9c4 AcquireContext Sig Key error: -2146893802 > > > > > > Der Schlüsselsatz ist nicht vorhanden. ??????? > > > > > > 4-16: 04:57:31:934:9c4 Failed to get key for cert > > > 4-16: 04:57:31:934:9c4 Looking for IPSec only cert > > > 4-16: 04:57:31:934:9c4 failed to get chain 80092004 > > > 4-16: 04:57:31:934:9c4 Looking for any cert > > > 4-16: 04:57:31:934:9c4 Cert Trustes. 0 100 > > > 4-16: 04:57:31:934:9c4 AcquireContext Sig Key error: -2146893802 > > > > > > 4-16: 04:57:31:934:9c4 Failed to get key for cert > > > 4-16: 04:57:31:934:9c4 Looking for any cert > > > 4-16: 04:57:31:934:9c4 failed to get chain 80092004 > > > > > > Das Objekt oder die Eigenschaft wurde nicht gefunden. ???????? > > > > > > 4-16: 04:57:31:934:9c4 ProcessFailure: sa:000FB490 centry:00000000 > > > status:35fc > > > 4-16: 04:57:31:934:9c4 isadb_set_status sa:000FB490 centry:00000000 > status > > > 35fc > > > 4-16: 04:57:31:934:9c4 Schlüsselaustauschmodus (Hauptmodus) > > > > > > > > > 4-16: 04:57:31:934:9c4 Quell-IP-Adresse 192.168.2.100 > > > > > > Quell-IP-Adressmaske 255.255.255.255 > > > > > > Ziel-IP-Adresse 192.168.2.101 > > > > > > Ziel-IP-Adressmaske 255.255.255.255 > > > > > > Protokoll 0 > > > > > > Quellport 0 > > > > > > Zielport 0 > > > > > > Lokale IKE-Adresse > > > > > > Peer-IKE-Adresse > > > > > > > > > 4-16: 04:57:31:934:9c4 Zertifikatsbasierte Identität. > > > > > > Peerantragsteller C=DE, O=za, OU=za, CN=z2 > > > > > > Peer-SHA-Fingerabdruck dfe07769ade3821f546afbaa5225bab0a9bee86d > > > > > > Peer, der die Zertifizierungsstelle ausstellt: C=DE, O=za, OU=za, CN=za > > > > > > Stammzertifizierungsstelle > > > > > > Eigener Antragsteller > > > > > > Eigener SHA-Fingerabdruck 0000000000000000000000000000000000000000 > > > > > > Peer-IP-Adresse: 192.168.2.101 > > > > > > > > > 4-16: 04:57:31:934:9c4 Benutzer > > > > > > > > > 4-16: 04:57:31:934:9c4 Es ist kein privater Schlüssel mit dem > > > Computerzertifikat verknüpft. > > > > > > > > > 4-16: 04:57:31:934:9c4 0x80092004 0x0 > > > 4-16: 04:57:31:934:9c4 ProcessFailure: sa:000FB490 centry:00000000 > > > status:35fc > > > 4-16: 04:57:31:934:9c4 Not creating notify. > > > > > > peer2: > > > > > > 4-15: 04:57:16:1fc *****************Queueing work for worker. 6 > > > 4-15: 04:57:16:128 > > > 4-15: 04:57:16:128 Resume: (get) SA = 0x00237a18 from 192.168.2.100 > > > 4-15: 04:57:16:128 ISAKMP Header: (V1.0), len = 243 > > > 4-15: 04:57:16:128 I-COOKIE 3ccdc554cc3dc04d > > > 4-15: 04:57:16:128 R-COOKIE 95cb0109e456387d > > > 4-15: 04:57:16:128 exchange: Oakley Main Mode > > > 4-15: 04:57:16:128 flags: 0 > > > 4-15: 04:57:16:128 next payload: KE > > > 4-15: 04:57:16:128 message ID: 00000000 > > > 4-15: 04:57:16:128 Stopping RetransTimer sa:00237A18 centry:00000000 > > > handle:0009A1F0 > > > 4-15: 04:57:16:128 processing payload KE > > > 4-15: 04:57:16:128 Generated 128 byte Shared Secret > > > 4-15: 04:57:16:128 KE processed; DH shared secret computed > > > 4-15: 04:57:16:128 processing payload NONCE > > > 4-15: 04:57:16:128 processing payload CR > > > 4-15: 04:57:16:128 Processing Cert request > > > 4-15: 04:57:16:128 In state OAK_MM_Key_EXCH > > > 4-15: 04:57:16:128 skeyid generated; crypto enabled (initiator) > > > 4-15: 04:57:16:128 constructing ISAKMP Header > > > 4-15: 04:57:16:128 constructing ID > > > 4-15: 04:57:16:128 Cert Trustes. 0 0 > > > 4-15: 04:57:16:128 Key Contained Name > > > 4-15: 04:57:16:128 > > > b53799241ca9cc0b251c811b2862f9b5_3ab5e203-31bc-4d7b-a784-bdae77975100 > > > 4-15: 04:57:16:128 Found try 1 > > > 4-15: 04:57:16:128 constructing CERT > > > 4-15: 04:57:16:128 constructing SIG > > > 4-15: 04:57:16:128 Construct SIG > > > 4-15: 04:57:16:128 Hash algo 2 > > > 4-15: 04:57:16:128 Initiator ID 090000003034310b3009060355040613 > > > 4-15: 04:57:16:128 024445310b3009060355040a13027a61 > > > 4-15: 04:57:16:128 310b3009060355040b13027a61310b30 > > > 4-15: 04:57:16:128 09060355040313027a32 > > > 4-15: 04:57:16:128 Error 80090016 during CryptSignHash1! > > > > > > Der Schlüsselsatz ist nicht vorhanden. ???????????? > > > DAS KANN NICHT SEIN, ALLE DA, MIT PRIVATE KEYS !!!!!!!!! > > > > > > 4-15: 04:57:16:128 Trying KE key > > > 4-15: 04:57:16:128 Signature Created Successfully > > > 4-15: 04:57:16:128 Sig LE: 23008a3510138947ad9badf54b5af5dd > > > 4-15: 04:57:16:128 145f7dc9eb69a9d3f1f67a087a88c155 > > > 4-15: 04:57:16:128 19f27a0d8c2906879139417440391bf8 > > > 4-15: 04:57:16:128 0592ca96c96b641983b544b8e212be1c > > > 4-15: 04:57:16:128 b75216f4e15acc4d617b2a1343c4ac77 > > > 4-15: 04:57:16:128 8b3c63b70ecc6a39ad80b93feb4d9912 > > > 4-15: 04:57:16:128 cbac3bcc022a3d9710217e0537c4bd69 > > > 4-15: 04:57:16:128 012789978177da76935b0ea21511b08c > > > 4-15: 04:57:16:128 3030dd05be447d4117f31ae05e1531fd > > > 4-15: 04:57:16:128 a3f74ff5be4af678707579a8ef1a599f > > > 4-15: 04:57:16:128 4179b42b354c8c0db26d1055f7440d29 > > > 4-15: 04:57:16:128 ef45b12fb11e381dc87c0b197eb9e00f > > > 4-15: 04:57:16:128 408492a40efa53c7524017d1aa37d3a7 > > > 4-15: 04:57:16:128 5cbf24b3fc6a552a6346ec9a59522d6b > > > 4-15: 04:57:16:128 1606ce4ef1aac1edbf3f446fabe24027 > > > 4-15: 04:57:16:128 a93a91c41a8f5adc675eab4ba9327b37 > > > 4-15: 04:57:16:128 > > > 4-15: 04:57:16:128 SIG BE: 377b32a94bab5e67dc5a8f1ac4913aa9 > > > 4-15: 04:57:16:128 2740e2ab6f443fbfedc1aaf14ece0616 > > > 4-15: 04:57:16:128 6b2d52599aec46632a556afcb324bf5c > > > 4-15: 04:57:16:128 a7d337aad1174052c753fa0ea4928440 > > > 4-15: 04:57:16:128 0fe0b97e190b7cc81d381eb12fb145ef > > > 4-15: 04:57:16:128 290d44f755106db20d8c4c352bb47941 > > > 4-15: 04:57:16:128 9f591aefa879757078f64abef54ff7a3 > > > 4-15: 04:57:16:128 fd31155ee01af317417d44be05dd3030 > > > 4-15: 04:57:16:128 8cb01115a20e5b9376da778197892701 > > > 4-15: 04:57:16:128 69bdc437057e2110973d2a02cc3baccb > > > 4-15: 04:57:16:128 12994deb3fb980ad396acc0eb7633c8b > > > 4-15: 04:57:16:128 77acc443132a7b614dcc5ae1f41652b7 > > > 4-15: 04:57:16:128 1cbe12e2b844b58319646bc996ca9205 > > > 4-15: 04:57:16:128 f81b3940744139918706298c0d7af219 > > > 4-15: 04:57:16:128 55c1887a087af6f1d3a969ebc97d5f14 > > > 4-15: 04:57:16:128 ddf55a4bf5ad9bad47891310358a0023 > > > 4-15: 04:57:16:128 > > > 4-15: 04:57:16:128 AuthCount 1 > > > 4-15: 04:57:16:128 Constructing Cert Request > > > 4-15: 04:57:16:128 Setting CertReq type > > > 4-15: 04:57:16:128 Throw: State mask=111f > > > 4-15: 04:57:16:128 Doing tripleDES > > > 4-15: 04:57:16:128 > > > 4-15: 04:57:16:128 Sending: SA = 0x00237A18 to 192.168.2.100 > > > 4-15: 04:57:16:128 ISAKMP Header: (V1.0), len = 1556 > > > 4-15: 04:57:16:128 I-COOKIE 3ccdc554cc3dc04d > > > 4-15: 04:57:16:128 R-COOKIE 95cb0109e456387d > > > 4-15: 04:57:16:128 exchange: Oakley Main Mode > > > 4-15: 04:57:16:128 flags: 1 ( encrypted ) > > > 4-15: 04:57:16:128 next payload: ID > > > 4-15: 04:57:16:128 message ID: 00000000 > > > 4-15: 04:57:17:128 Handling Retransmit: sa 237a18 handle 9a1f0 context > > > 2348b8 arg 2348b8 > > > 4-15: 04:57:17:128 retransmit: sa = 00237A18 centry 00000000 , count = 0 > > > 4-15: 04:57:17:128 > > > > > > thx > > > > > > > > > > > >
- Next message: antgel: "Re: Antivirus / firewall"
- Previous message: Steve Cartwright [MSFT]: "Re: ipsec lan: IKE: no private key found, ideas?"
- In reply to: Mark Swift [MSFT]: "Re: SOLVED! cause: cut&paste of certs in the mmc certs snap in does not include private keys!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
