none
Fighting with certificates: Access was not successfully obtained for the private key RRS feed

  • Question

  • HI all,

    i work in company with many servers and Pcs for developers. Servers are win2003, PC developers Windows XP.

    In a server Win2003 named preiis01, in preproduction environment, other people in company install a client certificate using any other user (unknown user for me) for logging in server preiis01.

    I use my user "domainCompany\myuser" for log in server preiis01 (using Terminal Server, Remote Desktop for Windows XP).

    in preiis01,

    I execute mmc -> Snap in -> Certificates for Local Machine. In node -> Personal -> Certificates, I have seen the client certificate:

    Issued To
    ENTIDAD COMPANY SA - CIF A93 - NOMBRE SURNAME1 NAME1

    Issued By
    FNMT Clase 2 CA

    In properties of certificate, I have seen thumbprint: "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13"


    Now, I execute this commands:

    1.) FindPrivateKey My LocalMachine -n "CN=ENTIDAD COMPANY SA - CIF A93 - NOMBRE SURNAME1 NAME1" -a

    and I get this error:


    FindPrivateKey failed for the following reason:
    No certificates with key 'CN=ENTIDAD COMPANY SA - CIF A93 - NOMBRE SURNAME1 NAME1' found in the store.

    2.) FindPrivateKey My LocalMachine -t "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13" –c

    FindPrivateKey helps user to find the location of the Private Key file of a X.50
    9 Certificate.
    Usage: FindPrivateKey <storeName> <storeLocation> [{ {-n <subjectName>} | {-t <t
    humbprint>} } [-f | -d | -a]]
           <subjectName> subject name of the certificate
           <thumbprint>  thumbprint of the certificate (use certmgr.exe to get it)
           -f            output file name only
           -d            output directory only
           -a            output absolute file name
    e.g. FindPrivateKey My CurrentUser -n "CN=John Doe"
    e.g. FindPrivateKey My LocalMachine -t "03 33 98 63 d0 47 e7 48 71 33 62 64 76 5
    c 4c 9d 42 1d 6b 52" -c

    3.) winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s "ENTIDAD COMPANY SA - CIF A93 - NOMBRE SURNAME1 NAME1"

    and I get this error:

    Microsoft (R) WinHTTP Certificate Configuration Tool
    Copyright (C) Microsoft Corporation 2001.

    Matching certificate:
    CN=ENTIDAD COMPANY SA - CIF A93 - NOMBRE SURNAME1 NAME1
    OU=703015476
    OU=FNMT Clase 2 CA
    O=FNMT
    C=ES

    Error: Access was not successfully obtained for the private key.
           This can only be done by the user who installed the certificate.


    Any suggestions, please ??


    Should "Hi", "Thanks" and taglines and salutations be removed from posts? http://meta.stackoverflow.com/questions/2950/should-hi-thanks-and-taglines-and-salutations-be-removed-from-posts
    Monday, October 11, 2010 10:47 AM

Answers

All replies

  • Hi,

    Most likely the certificate was installed by some other person in your company (e.g. administrator). Only that person has access to the private key of the certificate. Download the FindPrivateKey tool, ask the administrator to execute it to find out the directory where the private key file was saved, and let him set the needed rights so that the process can access the file.


    There are also some reports about Windows XP failing to extract the private key from the file due to encoding issues:

    http://blogs.msdn.com/b/alejacma/archive/2010/01/11/winhttpcertcfg-tool-cannot-access-private-key-of-a-certificate.aspx

    Marcel

    Monday, October 11, 2010 11:06 AM
  • Here is what I have learned with this issue, when you import the .cer file on a Windows Server 2003 box, a pop-up (screenshot below) window will ask about validation. Click YES or you will have the access to the private key issue. 

    Security Warning Screenshot:


    That was one thing I have noticed because I had one server out of three that the pop-up showed and I had no issues assigning permissions to NETWORKSERVICE and ASPNET.

    A workaround is to export the cert from another server with the key creating a password. I was able to do this in IIS 7 on the server that the certificate was created for. Once I had the .pfx, I imported on the other two servers that had this issue and I was able to assign the permissions.

    Thursday, February 14, 2013 2:44 PM
  • In my case a contractor must have added the cert under his account, not Local Computer. Months after he left his profile was deleted. The certificate still thought it had the private key but it didn't exist. Because it was in this messed up state, we got thousands of "Schannel" 36870 errors in system log. I deleted the certificate, rebooted, and it even came back. What ultimately fixed it was renaming C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder. I appended old_ to it and copied the MachineKeys folder from a working server. The "Access was not successfully obtained for the private key" errors went away when I setup permissions correctly with winhttpcertcfg. It's probably not the most ethical fix, but it worked in my case.

     
    Thursday, March 6, 2014 2:54 PM