locked
Microsoft changed certificate store behaviour and makecert.exe? RRS feed

  • Question

  • I have two issues that just showed them selves recently. Stuff that worked before does not work anymore.

    First I use the makecert.exe tool to create certificates for testing purposes. I want to create two certificates. A "root" certificate that is self signed and a test certificate that is signed by the just created root certificate.

    My procedure was as follows:

    ======================

    Get the X509 root Certificate

    Certificates are needed as a proof of identity. A certificate needs to be issued by a certification authority. For testing purposes it is also possible to manually create two certificates using the Microsoft command line tool makecert. One certificate is the actual certificate used for the test, the other certificate is needed to sign the test certificate. Execute the following command after having replaced XXX by your company name.

    makecert -pe -n "CN=XXX.Test.Root.Certificate" -a sha1 -sky signature -r -e 12/31/2015 "XXX Test and Dev Root.cer"

    Install the Root Certificate

    Select Run... from the Windows Start menu and enter mmc. In the Console select the menu File / Add/Remove Snap-in... and add the certificate add-in for the computer account. Import the certificate into the Personal folder.

    Get the X509 the Certificate

    Execute the following command after having replaced XXX by your company name.

    makecert -pe -n "CN=XXX.Test.Certificate" -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in "XXX.Test.Root.Certificate" -is my -ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e 12/31/2015 "XXX Test and Dev.cer"

    Install the Test Certificate

    In the Certificate Console import the certificate into the Personal folder. Move the root certificate into the Trusted Root Certification Authorities folder.

    =========================

    Now this procedure does not work anymore. Furthermore even the simplest examples involving the -ss my option (which is by itself not a problem) to directly place a certificate in the Personal folder is now rejected. This is just an obvious indicaton that something changed.

     

    The second issue, more vital to my task, is that even when I load the old certificate file I created some time ago, the WCF framework claims that it does not contain a private key which is required for the intended purpose.

    Monday, May 4, 2009 10:31 AM

Answers

  • I fould the solution myself: allow permissions on the folder: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.

    • Marked as answer by Philipp Kramer Monday, September 28, 2009 6:54 AM
    Monday, September 28, 2009 6:54 AM

All replies

  • Your problem looks very similar to the issue I reported here:
    http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/6a937551-4f3a-4d58-b14f-e052ebbf3123

    My question also went unanswered, but I was able to find a solution on my own.

    Your problem likely stems from this parameter: "-sp "Microsoft RSA SChannel Cryptographic Provider"". This is the same CSP  that my code was trying to use. After several hours of bashing my head against the wall, I finally discovered (with some help from regmon and filemon) my certificate's private key was being stored with a Diffie-Hellman SChannel CSP, rather than the RSA SChannel CSP. As a result, the RSA SChannel CSP was unable to access the private key.

    You probably need to tell makecert which CSP to use to store the private key. Try passing the following parameters to the first makecert call:

    -sk "Microsoft Unified Security Protocol Provider"
    -sp "Microsoft RSA SChannel Cryptographic Provider"

    These parameters appear to be the makecert equivilant of the code change I had to make. Note that I haven't tried this with makecert, so YMMV.

    Thursday, May 21, 2009 8:30 PM
  • I fould the solution myself: allow permissions on the folder: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys.

    • Marked as answer by Philipp Kramer Monday, September 28, 2009 6:54 AM
    Monday, September 28, 2009 6:54 AM