Hi,

I am having trouble getting x509 certificates I have created to work with my
test WSE 3.0 app.

I am currently building an application which involves communication between
web services and clients on different companies networks which may be
communicating either over the internet or via a VPN connection.

I intend to use x509 certificates to provide message level encryption and
possibly authentication as well.

I have created a client and a server certificate by issuing certificates in
the Windows 2003 Certification Authority MMC Snap-in for requests which I
created using the IIS certificate wizard on the default web site.

I created a test ASP.Net web service and windows forms client application
and applied WSE security policies to both. The application works fine using
certificates generated through the Makecert tool, but when I use the IIS /
Certification Authority generated certificates I get the following
System.Security.Cryptography.CryptographicException error message:

WSE600: Unable to unwrap a symmetric key using the private key of an X.509
certificate. Please check if the account '<domain>\<username>' has
permissions to read the private key of certificate with subject name
'CN=<test cert name>, OU=<org unit>, O=<org name>, L=<locality>,
S=<province>, C=<country>' and thumbprint
'ABABABABABABABABABABABABABABABABABABABAB'.

Here the username was the user I was logged in as.


When I attempted to grant permissions using the WSE x.509 Certificate Tool
when I clicked on the 'View Private Key File Properties...' button I received
the message 'Private key does not exist or is not accessible'.

And when I attempted the same thing using winhttpcertcfg.exe I received the
error message:
Error: Access was not successfully obtained for the private key. This can
only be done by the user who installed the certificate.

Can anyone see where I am going wrong?

Is it just not possible to use IIS-generated certs with WSE?

Also, there is a chance that the clients and services which will use the
certificates will not be able to 'see' the server with Certification
Authority installed. Will WSE still work?


Thanks,
Max

I just tried using the 'web enrollment' method to generate certificate
requests as detailed in:
http://support.microsoft.com/kb/901183/

....but I got the same messages when I tried to use this certificate in WSE
or assign ASPNET permissions using winhttpcertcfg.exe or the WSE x.509
Certificate Tool I received the same error messages as detailed above.

I got one to work!

I created a certificate request with the Certificate Authority Web
Enrollment tool and un-checked the "Store certificate in the local computer
certificate store", and I can now edit the permissions to the key in
WinHttpCertCfg.exe and the WSE Certificate Tool.

When I made this the cert for my web services client app it worked fine!

Not sure why this made the difference though, I have admin permissions on my
dev machine so I would have thought I'd be able to access the key permissions
anyway.


So I now have a cert with the settings:
Type of certificate needed:
Client Authentication Certificate

Key Options:
Create new key set (selected)
CSP: Microsoft Enhanced Cryptographic Provider v1.0
Key Usage: Both
Key Size: 1024
Automatic key container name (selected)
Mark keys as exportable
Export keys to file (NOT selected)
Enable strong private key protection (NOT selected)
Store certificate in the local computer certificate store (NOT selected)

Additional Options:
Request Format: CMC
Hash Algorithm: SHA-1


I'm still not clear on whether this will work on machines which can't see

I HAVE DISCOVERED THE SOLUTION!!!



ms-help://MS.WSE30.1033/WSE3.0/html/b5a8bce9-31a2-444c-a762-86f5bf2abd96.htm



this was the correct URL, follow step #2 exactly.

once you try running it again it should work. it doesnt work you say ?

right click your solution and pick "Rebuild Solution" then run it.



the problem is that in microsofts tutorial it doesn't mention you need to
REBUILD the solution after you have given ASPNET right, not just build. I'm
not 100% sure the reason, but I think it has to do with the changes done in
the <process model> node in the machine.config file. these changes do not
reflect untill you rebuild the solution. this worked for me, and I tested it
on the machine next to me, then I tested it again on the machine next to me.
this has fixed the problem all 3 times. I am about 90% sure this will solve
the problem for you.



also, if ASPNET is not found in the list of accounts, (in the certificate
tool, after you have selected to view private key file properties, and then
clicked the "security" tab, then clicked "add"), you need to click
"Locations", highlight your computer (which is usually the top most node)
then click "OK" then type "ASPNET" in the "Enter object names" box and click
OK. ASPNET should be added now. all you need to assign it is read/read &
execute rights.



hope this helps. I am the champion!