Certificates: Cannot find the certificate and private key for decryption Error when sign

StackOverflow https://stackoverflow.com/questions/3936065

Question

I work in company with many servers and Pcs for developers. Servers are win2003, PC developers Windows XP.

In a server Win2003 named preiis01, in preproduction environment, other people in company install a client certificate using any other user (domainCompany\adminsystems) for logging in server preiis01.

Anyone admin uses the user "domainCompany\adminsystems" for log in server preiis01 (using Terminal Server, Remote Desktop for Windows XP).

the admin user is domainCompany\adminsystems", which installs certificate.

Admin user install it like this:

Session login like "domainCompany\adminsystems" Certificate is PFX file. Do Install PFX and using Wizard. The key private not check for export. Input the password and install.

There is an application Web which AppPool Identity is: NETWORK SERVICE account.

web server is IIS 6.0.

in preiis01,

That admin user executes mmc -> Snap in -> Certificates for Local Machine. In node -> Personal -> Certificates, he had seen the client certificate:

Issued To ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

Issued By FNMT Clase 2 CA

In properties of certificate, the thumbprint: "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13"

That admin user executes this commands:

winhttpcertcfg.exe LOCAL_MACHINE\My -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" -g -a "NETWORK SERVICE"

Result is:

Matching certificate:

CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

OU=703015476

OU=FNMT Clase 2 CA

O=FNMT

C=ES

Granting private key access for account: NT AUTHORITY\NETWORK SERVICE

Now, admin user executes this command:

winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1"

The result is:

Matching certificate:

CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

OU=700012476

OU=FNMT Clase 2 CA

O=FNMT

C=ES

Additional accounts and groups with access to the private key include: domainCompany\adminsystems NT AUTHORITY\SYSTEM BUILTIN\Administrators NT AUTHORITY\NETWORK SERVICE

NOw, in an aspx page in application web in server Win2003, IIS 6.0, I have this code:

NOte: value for X509Certificate2.HasPrivateKeyAccess() is NO (false) for "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" certificate.

ASP.NET application executes using the identity :: NT AUTHORITY\NETWORK SERVICE

lbInfo.Text += "<br/><br/>ASP.NET application executes using the identity :: <b>" + WindowsIdentity.GetCurrent().Name + "</b><br>";


            var store = new X509Store(StoreLocation.LocalMachine);
            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
            Certificates = store.Certificates;
            repeater1.DataSource = Certificates;
            repeater1.DataBind();

            var nombreCertificado = "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1";

            store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
            store.Open(OpenFlags.ReadOnly);

            X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindBySubjectName, nombreCertificado, false);

            if (col.Count > 0)
            {
                X509Certificate2 certificate = col[0];
                store.Close();
                Message.Text = "Certificado " + nombreCertificado + " encontrado en " + StoreLocation.LocalMachine;

                FirmarConCertificado(nombreCertificado, certificate);

            }
            else
            {
                store.Close();
                Message.Text = "El certificado " + nombreCertificado + " no esta instalado en la máquina";
            }


public void FirmarConCertificado(string nombreCertificado, X509Certificate2 certificate)
{
    try
    {
 var mensaje = "Datos de prueba";
                System.Text.Encoding enc = System.Text.Encoding.Default;
                byte[] data = enc.GetBytes(mensaje);

                var contentInfo = new System.Security.Cryptography.Pkcs.ContentInfo(data);
                var signedCms = new System.Security.Cryptography.Pkcs.SignedCms(contentInfo, true);

                var cmsSigner = new System.Security.Cryptography.Pkcs.CmsSigner(certificate);

                //  Sign the CMS/PKCS #7 message
                signedCms.ComputeSignature(cmsSigner);

                //  Encode the CMS/PKCS #7 message
               var ret = Convert.ToBase64String(signedCms.Encode());

 Message.Text += "Firmado con Certificado " + nombreCertificado + " encontrado en " + StoreLocation.LocalMachine;
 }
 catch (Exception ex)
 {
 Message.Text = "Error al firmar con certificado: " + ex.ToString();
 Message.Text += "<br /><br />InnerException: " + ex.InnerException;
 }

}

The code fails for me, and I get this error: Cannot find the certificate and private key for decryption.

Error line is:signedCms.ComputeSignature(cmsSigner);

Error al firmar con certificado: System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption.

at System.Security.Cryptography.Pkcs.PkcsUtils.CreateSignerEncodeInfo(CmsSigner signer, Boolean silent) at System.Security.Cryptography.Pkcs.SignedCms.Sign(CmsSigner signer, Boolean silent) at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer, Boolean silent) at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer) at ASP.dgsfp_test_testcert_aspx.FirmarConCertificado(String nombreCertificado, X509Certificate2 certificate) in c:\Company\App\Test\TestCert.aspx:line 242

Then, the admin user (I remember, who install the certificate) executes this commands:

FindPrivateKey My LocalMachine -t "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13" –c

FindPrivateKey My LocalMachine -n "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" –a

FindPrivateKey My LocalMachine -n "CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" –a

The result for all 3 commands is the same:

FindPrivateKey helps user to find the location of the Private Key file of a X.50 9 Certificate.

Usage: FindPrivateKey [{ {-n } | {-t } } [-f | -d | -a]]

subject name of the certificate

thumbprint of the certificate (use certmgr.exe to get it)

-f output file name only

-d output directory only

-a output absolute file name e.g. FindPrivateKey My CurrentUser -n "CN=John Doe"

e.g. FindPrivateKey My LocalMachine -t "03 33 98 63 d0 47 e7 48 71 33 62 64 76 5 c 4c 9d 42 1d 6b 52" -c

FindPrivateKey don't get anything, but winhttpcertcfg.exe -l works fine (matching certificate)

We have given privileges to the Network Service user using the winhttpcertcfg.exe tool, and in code ASP.NET (execute under Network Service account) the certificate is found. But fails when sign using certificate.

If someone could give us some information about, or suggestions

update:

User in domain "domainCompany\Pre_Certificado" install Certificate in Store Local Machine.

domainCompany\Pre_Certificado is Administrator, in IIS_WPG group, has Local Policies: “Log on as Service“

I configure AppPool Identity in IIS 6.0 for : domainCompany\Pre_Certificado

ASP.NET application executes using the identity :: domainCompany\Pre_Certificado

I recycle AppPool and execute application, I get System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption

If I test again, log in session in server IIS, using domainCompany\Pre_Certificado user, I call page in ASP.NET application and all is OK.

(note: log in server IIS using Terminal Server)

But if log off session in server IIS (user: domainCompany\Pre_Certificado), I get the same error:

System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption

Any suggestions ??

Was it helpful?

Solution

Please check this document which would help you to resolve the issue. I would recommend to use following command option:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER

OTHER TIPS

Do the first 2 steps as the same as you would with IIS 7.5 (click here)

  1. Create / Purchase certificate. Make sure it has a private key.
  2. Import the certificate into the "Local Computer" account. Best to use Certificates MMC. Make sure to check "Allow private key to be exported"

  3. Run the below command as an administrator. Replace the following:

    • Replace [Subject] with the certificate's subject and use quotes if it contains spaces. I think you can also just put the first word as long as there isn't another cert that starts with the same subject.
    • Replace [Store] with the certificate store you imported to, default I believe is "ROOT" or "MY" on IIS 6, i.e. "LOCAL_MACHINE\ROOT" or "LOCAL_MACHINE\MY"
    • Replace [computername] with the name of the computer. You might be able to use ".\" notation for [computernam] i.e. ".\NETWORK SERVICE" but I have not tried it.

winhttpcertcfg.exe -g -a "[computername]\NETWORK SERVICE" -c LOCAL_MACHINE\[Store] -s "[Subject]"

Note: If you are running ASP.NET Application Pool under an identity other than "NETWORK SERVICE" you'll need the change "NETWORK SERVICE" in the above command to the identity that you're running the IIS application pool.

May need to grant access to the anonymous user also. If you are allowing anonymous access then the request is running as the anonymous user not network service.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top