locked
Cannot construct a X509SigningCredentials RRS feed

  • Question

  • System.ArgumentException] = {"ID2057: Cannot construct a X509SigningCredentials instance for a certificate without the private key.\r\nParameter name: token"}   at Microsoft.IdentityModel.SecurityTokenService.X509SigningCredentials..ctor
    (X509SecurityToken token, SecurityKeyIdentifier ski, String signatureAlgorithm, String digestAlgorithm)
       at Microsoft.IdentityModel.SecurityTokenService.X509SigningCredentials..ctor(X509Certificate2 certificate, SecurityKeyIdentifier ski)

    I get this error when I create certificate using this cmd
    "makecert.exe -sr LocalMachine -ss My -a sha1 -n CN=localhost -sky exchange -pe -sk 974877a3-6154-40e4-b688-25fe8962dc18 c:\test.cer"

     

     

    X509SecurityToken token = new X509SecurityToken(_x509CertificateProvider.GetCertificate("test.cer"));
    SecurityKeyIdentifier ski = GetSecurityKeyIdentifier(token);
    descriptor.SigningCredentials =
    new X509SigningCredentials(token.Certificate, ski);

     

     

     

     How to provide private key to certificate? When I load it from store like

    store.Certificates.Find(

    X509FindType.FindBySubjectDistinguishedName, "CN=" + subjectName, false); it work fine. Why wont it work when loaded from file?

    Friday, February 4, 2011 8:31 PM

Answers

All replies

  • .cer does not contain a private key. You have to specify both the filename for the .cer and the .pvk in makecert. You can then package both files as a .pfx using Pvk2Pfx.exe. This now contains both keys and can be loaded using the X509Certificate2 ctor.
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    • Marked as answer by chintapali Tuesday, February 8, 2011 1:45 PM
    Sunday, February 6, 2011 7:25 PM
  • I created .pfx file as described above but when I try to read token which is signed using this certificate I this error

    ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
        (
        IsReadOnly = False,
        Count = 1,
        Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0xC2ACC11F435B8F0EA14EAF3C2D8EFC9CA71CF678)
        )
    '. Ensure that the SecurityTokenResolver is populated with the required key.

    Here is the code I am using to read the saml token

    SecurityTokenHandlerConfiguration config = new SecurityTokenHandlerConfiguration();
                config.AudienceRestriction.AudienceMode = AudienceUriMode.Never;
                config.CertificateValidator = X509CertificateValidator.None;
                config.IssuerNameRegistry = new SimpleIssuerNameRegistry();
                var handler = new SecurityTokenHandlerCollection(config);           
                handler.Add(new Saml2SecurityTokenHandler());       
                handler.Add(new EncryptedSecurityTokenHandler());                                 
                MemoryStream st = new MemoryStream(signedToken);
                XmlTextReader reader = new XmlTextReader(st);
                Saml2SecurityToken securityToken;
                securityToken = handler.ReadToken(reader) as Saml2SecurityToken;

    Monday, February 7, 2011 8:03 PM
  • Figured out the way to fix this by including signing key like this

     

     

    RSACryptoServiceProvider rsa = signingCert.PrivateKey as RSACryptoServiceProvider;
    RsaSecurityKey rsaKey = new RsaSecurityKey(rsa);
    RsaKeyIdentifierClause rsaClause = new RsaKeyIdentifierClause(rsa);
    SecurityKeyIdentifier signingSki = new SecurityKeyIdentifier(new SecurityKeyIdentifierClause[] { rsaClause });
    SigningCredentials signingCredentials = new SigningCredentials(rsaKey, signatureAlgorithm, digestAlgorithm, signingSki);

    But now I get this error when validating the token

    {"ID4152: The Saml2SecurityToken cannot be validated because the IssuerToken property is not set. Unsigned SAML2:Assertions cannot be validated."}

    Monday, February 7, 2011 9:56 PM
    • Marked as answer by chintapali Tuesday, February 8, 2011 1:45 PM
    Tuesday, February 8, 2011 5:43 AM