I am having troubles with exporting certificate's private key on WinRT 8.1 using new Cryptography API.
With help of MS Cryptography and Certificate sample I am able to list certificates from system certstore and get selected certificate's keypair using
CryptographicKey keyPair = await PersistedKeyProvider.OpenKeyPairFromCertificateAsync(cert, HashAlgorithmNames.Sha1, CryptographicPadding.RsaPkcs1V15);
But then, when I try to export the private key using
IBuffer pkey = keyPair.Export(CryptographicPrivateKeyBlobType.Pkcs8RawPrivateKeyInfo);
a NotSupportedException is thrown, no matter what blob type I use as the parameter.
The certificate I work with was imported from pfx by Windows Importer with Strong protection disabled and marked as Exportable, however it still seems that the Cryptography API has some problems accesing the private key (which I need for signing via SecureBlackBox library).
Does anyone know how to solve this issue and obtain the certificate's private key?
Related
I am trying to recreate a Developer ID Application certificate, so I can sign my application. I had an existing certificate, but it's about to expire, so I am trying to regenerate a new one.
However, when I download a newly generated certificate from developer.apple.com, the imported certificate has no key as its child node in Keychain Access. The old certificate had this. When I attempt to use the certificate for code signing I receive something like:
/tmp/myapp.app/Contents/app/bin/myapp.exe: errSecInternalComponent
I am following the instructions to obtain a signed certificate using Certificate Assistant:
Ensuring nothing is selected in Keychain Access, click Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
I enter my email, accept the default Common Name and click Saved to disk.
In developer.apple.com I click the "+" to Create a New Certificate
I choose Developer ID Application
I upload the CSR I saved above
I download the .cer file that is generated
I open the .cer file. This adds the certificate.
As you can see, the certificate does not have a private key inside it, like the old one:
Unfortunately I don't have the old certificate now having deleted it in a fit of pique but it looked like this:
... although in my case it had my private key.
I've noticed reference to the claim that creating a CSR also creates a public/private key pair, but I cannot see these anywhere in Keychain Access.
Later, I did manage to import the certificate and it show the private key. I think this was when I imported it into the same keychain as that which contains a private key "Dan Gravell" - login. However, I have since tried replicating that and now the certificate is being imported without a key again.
Xcode appearance
I've discovered there's a little more information in Xcode. The certificate shows "Missing Private Key" next to it:
When I look this error up, the suggestions seem to be that the certificate has been given to a developer by some third party that didn't include the private key. However, in my case I am that third party who has created the CSR and received the certificate originally and I thought I had the private key, otherwise I wouldn't have been able to create the CSR in the first place. All these items appear to be in my keychain.
I (eventually) got a reply from Developer Program Support. They issued a new certificate which I installed via XCode this time. I documented my other steps here: https://stackoverflow.com/a/74210449/28190
I'm trying to set up an SSL from Namecheap and I need both the public cert and the private key but Windows seems only to give the public key. I even tried using the export option later on and found nothing akin to a secret key (show below):
Any insight would be appreciated greatly.
I accidentally deleted my private key from keychain i have that same CSR file and iPhone Distribution certificate, i want to install private key from CSR file. when i install iPhone Distribution certificate i am not getting private key in keychain access. i don't have developer account access now. how to do that?
The certificate signing request (CSR) does not include the private key, only the public key. If you don't have some sort of backup (of the keychain or an exported private key), you will not be able to recreate it.
I'm developing an application to manage file and email encryption using (primarily) PKI. I have a Public Keyring with a list of contacts and their Public Keys.
Referring back to the olden days when I used PGP, I recall a requirement to sign public keys with your Private Key.
Is this a necessity on PKI and if so, what does this signing achieve? Is it bad practice to simply hold a list/database of people's names (and email) and their Public Key? Surely if their public key is - in any way - tampered with the encryption would fail and as you choose who you're sending or sharing the encrypted data with, even if a 'successful tamper' went unnoticed, the encrypted data wouldn't end up in the wrong hands anyway?
The whole thing about signing a public key with a private key is useful when you have a dedicated key-pair that you use only for signing, and then other key-pairs that you use for encrypting. This dedicated key-pair is your "trusted" key-pair that is somehow known to be legitimately attached to you (often by having it signed by a certificate authority or by having many trusted people sign that they have verified it's connection to you.)
You use this "trusted" private key to sign your not-quite-as-trusted public key. This way, people can un-sign/decrypt your new public-key with your trusted public-key. This is only mathematically possible if it was signed by your trusted private-key.
This process helps people to be sure that this new public-key actually belongs to you.
I´m trying to sign some text or XML node using my certificates, installed on Internet Explorer or from filesystem (or some method!)...but I want to ask the user for his certificate password when signing.
If i´m not wrong, I think that I need that password to access the private key and with that key, sign my data....is ok?
Nothing that I read helps me in the part of asking the password or getting the private key.
Some examples or help will be great.
With X509Certificate2 x509 = new X509Certificate2(#"c:\Test.pfx", "test") you can import certificate with the private key information from the PFX file. The private key can be received by x509.PrivateKey.
You can find many examples how to sign XML file. For example http://developers.de/blogs/rolf_nebhuth/archive/2009/05/13/signing-xml-documents.aspx or http://www.west-wind.com/weblog/posts/257599.aspx.