I have multiple AWS WorkSpaces for every member in my team and I have restricted access to use a certificate. I have added the root certificate into the AWS management console and generated .p12 files for all the users. Mac users can import the root, intermediate and their .p12 files into Keychain Access and AWS WS works fine and allows them to log in. However Windows users have imported the same three files into their cert store using mmc.exe, certmgr.msc, and by clicking the certificates individually and importing that in that way, but this is not working. Every time a user tries to open AWS WS client it says you're not authorised. I have tired using a known working .p12 file but it just doesn't work for windows users. Does anybody have any idea why?
Thanks
Related
Background info
Developed a web app that uses IIS8. Currently using IIS to perform client authentication. Server self-signs a certificate and the certificate is imported on specific PCs.
User access site from browser and browser prompts for SSL cert. (Cert is imported to Personal Folder).
For PCs with single accounts there is no issue as i just import the certificate to that account.
For PCs with multiple accounts, if i import the certificate to the Local Computer account the different accounts are unable to access the certificate.
Query
How do i allow multiple accounts to access a single certificate? Tried to grant individual permissions to the individual accounts from the Local Computer Certificates console but to no avail. I do not want to issue the certificate individually to each account.
Is there a solution or alternative to this query?
You should try and separate authentication (using client certs) from account management, meaning authorization.
A good approach might be to use client certificates only to identify the user accessing your application (with exactly 1 certificate for each user). Then setup an n:m mapping to determine that user's groups, which in turn are given specific rights within your application. This is a common way to decouple users and their rights, to facilitate managing each.
I'm trying to authenticate to Opends server using winldap , I installed my self signed certificate to system trusted root certificates,personal store etc(where ever applicable). ldp.exe which is a tool by microsoft works fine for ssl and tls connection .I have 2 user accounts in my PC(admin and Administrator) everything works fine for both user accounts , except my windows service.
My windows service(a library management program) couldn't verify the server certificate. but my sample code works(which is a small part of code similar to my windows service) ,
I have seen similar scenarios on this website and their suggestion (https://msdn.microsoft.com/en-us/library/aa702621.aspx).
My service displays Group name as N/A in services tab and user name as SYSTEM in processes tab of task manager and I'm not sure what to do , please some one help me to solve this issue.
Thanks in advance.
Actually Windows has 3 types of certificate stores Local User , System , Services .
Usually windows services run as a special account called System(we can make it run on a particular user account as well)
Self signed certificate is added to the local user account alone (for both admin and Administrator as mentioned). so the windows Service couldn't verify the certificate.
Solution is to add the certificate to the System store .
The program works fine
I am importing X509 from PKCS #12 file (using PFXImportCertStore Cryptographic API) in Computer's Personal Store.
Problem:
Any process running under "Local Service" account or any non-admin account can not access privates key (restricted to Admin user by Windows).
How to give access to private keys of a certificate to non-admin users and local service?
Note:
Since multiple process use certificates, I preferred using Computers store instead user's store.
This is a tricky one with some pitfalls. I had the same problem and was close to despair, when I finally found the remark which saved me in this post
I succeeded to do this for a local service running under the Network Service account.
First, there is the option to grant other users access to the private key of a certificate in the MS certificate store. Already this I'd classify as druid knowledge: this option is available in the context menu (right click the certificate), but only if the certificate resides in the localMachine\Personal store. There, in the entry All tasks, you will find the sub entry Manage Private Keys. This is not available in other stores, not even in the CurrentUser\Personal store.
This entry opens a dialog which allows you to add access rights to the certificate for other users. Here, the next hurdle waits for you: the default setting is to search for users in the domain, not on the local machine. The desired user may not be found, unless you change the search filter.
To this result I came very fast by googling, but it did not help. I could get the service to run, but only if I changed the service user to the logon account, which is not what I wanted (this leads, btw, to a workaround: create a local user account for services and import the certificate from within that user account. You can then place the certificate in almost any store and it will work fine)
This is where the post cited above comes in, the last hurdle for me: the procedure described above seems to work only if you import the certificate into the certificate store from within the MMC snapin. Select the store localMachine\Personal and use the context menu to import the certificate in question. (I chose to make the private key exportable, this may or may not be relevant here). If you import the certificate by double clicking on it in the file system, it will be imported into some store in the Current User location. I used to do this and then move it into the localMachine\Personal folder and changed the access right -- this did never work for me. Only after importing it from within localMachine\Personal in the MMC certificate snap-in it worked immediately...
(Also note that you have to place the certificate into a store which can be found by the service user. Your current user stores usually does not allow this, so localMachine is the better choice, anyway)
I don't know whether you can move the certificate around afterwards, but that's easy to check in the system..
The background
We have been using certificates to access a third party service from a windows 2003 box. The certificate recently expired so we went about getting a new one from the third party(Experian). We were provided with two certs to be installed in the "Trusted Root Certication Authorities" and two to be installed in the "Intermediate Certification Authorities" and then the main one that gets installed to the Personal\Certificates.
I know the certs are working when I can access a URL. If I install the certs allowing the cert decide where to install themselves (local Computer or Current User) they install to the current user store. I can then access the URL ... all is well.
The Issue
However I need the certificates to work on a computer level rather than a user level. So I move the certs to the relative Local Computer store locations however this does not work. I now cannot access the URL as any user. I tried deleting them all out and importing them directly into the required local computer cert location... still no joy. I tried installing them as the local admin .... still no joy. Tried granting access to the certs via winhttpcertcfg to everyone/specific users etc, still no joy.
Is it possible that the cert is designed to work for only one user? Is there something I am missing to make this work? Any suggestions would be greatly appreciated.
As admin you should:
run mmc
add snapin for certificates (for local computer)
add root CAs to "Trusted Root Certication Authorities"
add intermediate CAs to "Intermediate Certification Authorities"
add end entity certificate with private key (it should be a .p12 or .pfx file) to Personal\Certificates
grant rights to user that can access the private key using winhttpcertcfg utility
and it should work (at least it did for me every time).
If you don't have private key corresponding to end entity certificate (because you deleted them all) then you need to get a new one from third party(Experian).
While setting up the EC2 access, it seems I need two files, the private key and ec2 certificate.
$ export EC2_PRIVATE_KEY=~/.ec2/pk-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem
$ export EC2_CERT=~/.ec2/cert-HKZYKTAIG2ECMXYIBH3HXV4ZBZQ55CLO.pem
However, I did not find anywhere I could download or create the key.
from the documentation:
The command line tools need access to
the private key and X.509 certificate
you generated after signing up for the
Amazon EC2 service.
I probably missed that, Is it possible to generate it again
When signed in on the AWS website go to Account -> Security Credentials -> X.509 Certificates.
You can generate, download, or upload certificates there.