I have a p12 file, 'test.p12,' that has a certificate, the CA cert (self-signed), and private key for the certificate. The p12 file is generated using the BouncyCastle's C# API.
When trying to import the certificate by using 'CertUtil', i.e., 'CertUtil -f -p password -importpfx test.p12,' CertUtil generates the following error:
CertUtil: -importPFX command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist
Any clues as to what may be wrong? (I'm using Windows 10)
Using openssl, I can see that 'test.p12' does include the certificate, CA cert, and private key. The certificate is using an EC keypair, but I doubt that's a problem since I have a reference p12 file that uses the same algorithm and is imported by CertUtil without problem. Unfortunately, I have no detail on how the reference file is generated.
In my google searches, many seem to suggest that this may be a permission problem, but I doubt that's the case as I'm running the CertUtil as the Administrator.
When importing the same file using 'MMC' with the certificate snap-ins, the certificate is "successfully" imported if I force the MMC to store it in a specific store, e.g., Personal; otherwise, it prompts to select a Smart Card for the certificate. Could this be a related problem?
Thanks,
--Hyong
Related
I followed the tutorial for generating a code-signing certificate using the YubiHSM Key Storage provider available here. After creating the Certificate Signing Request (CSR) with certreq -new sign.inf sign.req a new asymmetric key is created in the YubiHSM together with an association between this key and the certificate in the YubiHSM Key Storage Provider (KSP). After that, I am able to sign my binaries using something like signtool sign /sha1 <certificate hash> <binary name>.
However, when I export this certificate and import it to a different machine the certificate does not have an associated private key. Typing certutil -repairstore my <certificate hash> does not help. As far as I understand, the KSP only stores a link to the YubiHSM, not the actual private key itself. So I suppose I need to somehow create this association in the KSP.
I finally managed to solve the issue as follows:
After installing and configuring the YubiHSM KSP, install your exported certificate. After installing the certificate check its validity with:
certutil -verifystore my <certificate hash>
If you still cannot see the installed certificate try adding it manually using:
certutil -addstore -f "My" "MyCertificate.cer"
Once you can find the imported certificate, you need to manually bind the certificate to the private key. This is because the key is not stored with the certificate and Windows doesn’t automatically create an association between the two.
certutil -repairstore my <certificate hash>
Now you should be able to see the correct key label in the Key Container field using the certutil -verifystore command.
After that you should be able to start signing your binaries with signtool. However, I had to add the /sm flag to make it work.
signtool sign /sm /a /n "<CertificateName>" /fd sha256 path-to-binary-to-sign.exe
I brought a code signing certificate from GoDaddy generated a .pfx file from it. But when I use this file to code sign the clickonce manifest of my outlook vsto application I get this error in visual studio
An error occurred while signing: Invalid provider type specified.
What could be the problem here?
Thanks.
The signing identity stored in the .pfx container are most likely older "Cryptographic Service Providers" (CSP) style. The environment you are using to sign your package looks like required "Cryptography API: Next Generation" (CNG) provider type. The solution would be to convert your existing container to use CNG Storage Provider. This should be done by the following steps ...
Import the PFX into your personal store
Export the public key from the store by going through export wizard
Export the private key using OpenSSL into .pem format
openssl.exe pkcs12 -in <original pfx file>.pfx -nocerts -out <pem file location>.pem
Convert to PVK
pvk.exe -in <pem file location>.pem -topvk -strong -out <pvk file location>.pvk
Merge the Public and Private keys
pvk2pfx.exe -pvk <pvk file location>.pvk -pi <pvk password> -spc <pvk file location>.cer -pfx <new pfx file location>.pfx -po <pfx password>
Now you can import the newly created pfx file into the Certificate Manager. Make sure you remove the old certificate first from the Certificate Manager. Once the certificate is in place you can use certutil again to validate if the certificate is now correct.
If it now shows the provider as "Microsoft Strong Cryptographic Provider" you know the operation has been successful.
The credits goes to Remy's Blog, where you may find the full explanation on the issue with examples and verification steps... Converting Certificate to use CSP Storage Provider in stead of CNG Storage Provider.
A certificate is required to connect my SonarQube server. I have installed the SonarLint plugin, but it does not have any option to add certificates to connect my SonarQube server. It has only URL, username , password options. Is there any way to set certificates ?
SonarLint does not permit the configuration of certificates, but you can add certificate to JRE or JDK.
https://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html
Copied text from the Oracle documentation:
Import the Certificate as a Trusted Certificate
Before you can grant the signed code permission to read a specified file, you need to import Susan's certificate as a trusted certificate in your keystore.
Suppose that you have received from Susan
the signed JAR file sCount.jar, which contains the Count.class file, and
the file Example.cer, which contains the public key certificate for the public key corresponding to the private key used to sign the JAR file.
Even though you created these files and they haven't actually been transported anywhere, you can simulate being someone other than the creater and sender, Susan. Pretend that you are now Ray. Acting as Ray, you will create a keystore named exampleraystore and will use it to import the certificate into an entry with an alias of susan.
A keystore is created whenever you use a keytool command specifying a keystore that doesn't yet exist. Thus we can create the exampleraystore and import the certificate via a single keytool command. Do the following in your command window.
Go to the directory containing the public key certificate file Example.cer. (You should actually already be there, since this lesson assumes that you stay in a single directory throughout.)
Type the following command on one line: keytool -import -alias susan -file Example.cer -keystore exampleraystore
Since the keystore doesn't yet exist, it will be created, and you will be prompted for a keystore password; type whatever password you want.
The keytool command will print out the certificate information and ask you to verify it, for example, by comparing the displayed certificate fingerprints with those obtained from another (trusted) source of information. (Each fingerprint is a relatively short number that uniquely and reliably identifies the certificate.) For example, in the real world you might call up Susan and ask her what the fingerprints should be. She can get the fingerprints of the Example.cer file she created by executing the command
keytool -printcert -file Example.cer
If the fingerprints she sees are the same as the ones reported to you by keytool, the certificate has not been modified in transit. In that case you let keytool proceed with placing a trusted certificate entry in the keystore. The entry contains the public key certificate data from the file Example.cer and is assigned the alias susan.
have installed the gpg4win version 2.2. I have Successfully created the certificate using gpgsm --gen-key > test.p10
I want to export the created certificate request into pkcs12 format with gpgsm --export-secret-key-p12, but while exporting into p12 i get the error message "No Secret key"
When i run gpgsm --list-secret-keys on command prompt,it indeed displays nothing.
Why would the export step is fail? and where the secret keys are present while generating certificates?
I have Successfully created the certificate using gpgsm --gen-key > test.p10
GpgSM from gpg4win-2.x only can generate certificate signing requests.
It stores the secret part of your certificate under %APPDATA%\gnupg\private-keys-v1.d and prints out the signing request. That singing request is supposed to be sent to a Certificate Authority that signs your certificate (like cacert).
You then import the signed certificate and it will then show up unter --list-secret-keys and will be exportable.
With GnuPG 2.1 (can be downloaded as windows installer from gnupg.org) you are asked when generating a key if you want to selfsign it. In that case your "test.p10" would contain the signed certificate that you can then import into gpgsm and use / export it directly without the need for a CA.
I'm trying to sign my app in VS2012 but I'm receiving "Cannot find the certificate and private key for decryption" error.
What I do:
I received my certificate by Comodo CA Limited in Google Chrome.
Exported the certificate to a file with "Include all certificates" and "Export private key" options.
In VS2012, Signing tab I browse to the certificate file and fill in the password. The "Cannot find..." error appear.
I also tried all steps in this tutorial: Visual Studio error 'Cannot find... in Comodo Knowledge Base, but no success.
The same key works fine when signing with the Comodo kSign tool and also when using signtool.exe
....
The most common problem arises when using a .pfx file that contains
chaining information. You can remove chaining information from the key
file by running the Certificate Manager snap-in (Certmgr.msc),
importing the pfx file into the personal certificate store, and then
exporting it without including the certificate chain information.
Importing the certificate in MMC and exporting again doesn't help
...
I tried it on other machine, but the same problem.
Any ideas?
https://msdn.microsoft.com/en-us/library/aa730868%28vs.80%29.aspx#rsvssign_topic3
The .pfx file cannot include certificate chaining information. (If the .pfx file does include this information, the following import error will occur: "Cannot find the certificate and private key for decryption.")
Just do not set "Include all certificates" while exporting the *.pfx file