|
|
|
date: Thu, 3 Apr 2008 15:02:21 -0700,
group: microsoft.public.dotnet.security
back
HttpListener, SSL Certificates, Sever and client certificate auth
Can someone please tell me what I am doing wrong. I have been working on
this issue for quite some time.
I have developed a lightweight http server using HttpListener. I want to
use SSL certificates to authenticate both the server to the client and the
client to the server.
When I create a self signed root CA using makecert, then create a server
authentication certificate and a client authentication certificate using
makecert, everything works fine. The client and the server exchange
certificates and it all works. This is great for development, not so great
for a production environment.
When I use a server running certificate services to create certificates, the
server disconnects the client. The client application receives an exception
of:
System.Net.WebException: The underlying connection was closed: An unexpected
err
or occurred on a send. ---> System.IO.IOException: Authentication failed
because
the remote party has closed the transport stream.
I am using a stand alone machine running certificate services. It is a root
CA.
When using certificate services, I use a web browser to go to the
certificate services web interface. I install the root CA certificate, then
I request a new server auth certificate. Then I issue the certificate on the
CA machined, then I install the certificate using the web interface. Then I
do the same for the client certificate.
Then I use httpcfg to configure the port.
If I use the makecert certificates all is well.
If I use the certficate services certificates, it fails.
Obviously I have some configuration issue or I am just not doing something
right. I have no idea.
Anyone know what I am doing wrong? Any ideas about how to debug the issue?
I have turned on SCHANNEL debugging and something of interest is when I use
the microsoft server certificates I get an error in the event log:
A fatal error occurred when attempting to access the SSL server credential
private key. The error code returned from the cryptographic module is
0x80090016
I don't get this error with the makecert certificates.
Please help, thank you.
date: Thu, 3 Apr 2008 15:02:21 -0700
author: Colin
Re: HttpListener, SSL Certificates, Sever and client certificate auth
That error indicates that there is no keyset for the SSL cert. Are you sure
the process you used for getting the SSL cert didn't lose the private key?
You can open up the cert in the certificates MMC and see if it says it has a
private key associated with it.
It may also be a permissions problem where your service process doesn't have
the right permissions to read the key or it may be a profile problem where
you have the private key stored in some user's local profile instead of in
the local machine store and thus your service process can't get to it.
HTH!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Colin" wrote in message
news:DEA98F09-EF73-4274-83D4-65A9E0C15B9E@microsoft.com...
> Can someone please tell me what I am doing wrong. I have been working on
> this issue for quite some time.
>
> I have developed a lightweight http server using HttpListener. I want to
> use SSL certificates to authenticate both the server to the client and the
> client to the server.
>
> When I create a self signed root CA using makecert, then create a server
> authentication certificate and a client authentication certificate using
> makecert, everything works fine. The client and the server exchange
> certificates and it all works. This is great for development, not so
> great
> for a production environment.
>
> When I use a server running certificate services to create certificates,
> the
> server disconnects the client. The client application receives an
> exception
> of:
>
> System.Net.WebException: The underlying connection was closed: An
> unexpected
> err
> or occurred on a send. ---> System.IO.IOException: Authentication failed
> because
> the remote party has closed the transport stream.
>
> I am using a stand alone machine running certificate services. It is a
> root
> CA.
> When using certificate services, I use a web browser to go to the
> certificate services web interface. I install the root CA certificate,
> then
> I request a new server auth certificate. Then I issue the certificate on
> the
> CA machined, then I install the certificate using the web interface. Then
> I
> do the same for the client certificate.
>
> Then I use httpcfg to configure the port.
>
> If I use the makecert certificates all is well.
>
> If I use the certficate services certificates, it fails.
>
> Obviously I have some configuration issue or I am just not doing something
> right. I have no idea.
>
> Anyone know what I am doing wrong? Any ideas about how to debug the
> issue?
>
> I have turned on SCHANNEL debugging and something of interest is when I
> use
> the microsoft server certificates I get an error in the event log:
>
> A fatal error occurred when attempting to access the SSL server credential
> private key. The error code returned from the cryptographic module is
> 0x80090016
>
> I don't get this error with the makecert certificates.
>
> Please help, thank you.
date: Fri, 4 Apr 2008 11:37:59 -0500
author: Joe Kaplan
Re: HttpListener, SSL Certificates, Sever and client certificate a
One thing to look out for is that files underneath the "keys" directory do
NOT inherit permissions from the folder, so the ACL change you made there
won't apply to the files underneath. They must be individually ACLed. That
said, the default permissions for a new key file added to that container
should give read access to administrator, so it should not be a permissions
issue.
You might try using a tool like process monitor to see what reg keys and
files are being read when it works and when it doesn't to compare notes.
Maybe the problem is related to the profile your server is trying to load
the certificate from?
IIS tends to hide these things from you because it manages all the SSL keys
itself.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Colin" wrote in message
news:9788D730-FC04-4EB5-993B-71EC46BE2EA0@microsoft.com...
> Thanks for your response Joe, how can I trouble shoot this?
>
> I checked the MMC snap in.
>
> Makecert certificates:
> - There are 3 certificates
> - The self signed root in the LocalMachine\TrustedRoot has a private
> key
> - The Server Authentication cert in LocalMachine\Personal has a
> private key
> - The Client Authentication cert in LocalMachine\Personal has a
> private key
> - These certificates work, then again they were made on my computer
>
> Certificate Services:
> - There are again 3 certificates
> - The Root CA in LocalMachine\TrustedRoot DOES NOT have a private key
> NB: This makes sense to me, the Root CA isn't going to give out is
> private key,
> but I trust its public cert.
> NB: I moved these certificate from CurrentUser to LocalMachine by
> cut
> and paste
> - The server authentication cert has a private key
> - The client authenitcation cert has a private key
>
> I checked the permissions to the Document and Settings\All
> Users\Application
> Data\Crypto\RSA and DSS\ and set the permissions:
> Administrators: All Access
> System: All Access
> Colin (ME): All Access
> Everyone: Read and Execute
>
> I am running my applications at the command line (and in the debugger). I
> am an administrator on the machine. However the Certificate Services
> certificates were installed by internet explorer (using the web interface
> to
> certificate services).
>
> Any ideas would help. Thank you.
date: Fri, 4 Apr 2008 13:33:34 -0500
author: Joe Kaplan
|
|
