Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Sun, 8 Jun 2008 01:48:00 -0700,    group: microsoft.public.platformsdk.security        back       


Certificate with missing private key    
Hi All,

I have one specifiec problem with certificates and signing a document. In my 
computer i have one certificate (originaly with private key), but now 
container for certificate is missing (i don't know why, but this is not 
problem). If i view certificate in IE, it say that i have private key to this 
certificate, but if i want export certificate with private key, wizard give 
me the message, that container for private key is missing. If i want sign 
message using CryptSignMessage with this certificate, i can get error 
NTE_BAD_KEYSET.

I want to find solution, how to get information, if private key that 
correspondent to certificate is valid or not. I tried to use function 
CryptAcquireCertificatePrivateKey, but function says for this certificate, 
that have private key, but not verify if exists. Is possible to verify 
existence of private key? I think yes, because wizard to export certificate 
knowns this.

- Laco.
date: Sun, 8 Jun 2008 01:48:00 -0700   author:   Ladislav Dudáš Ladislav Dud??@discussions.microsoft.com

RE: Certificate with missing private key    
I guess you really lost the private key for the cert - but the link to it was 
not deleted. Note that some Windows components will just check if there is a 
link and report that you have the cert - but, as you found, when the link is 
followed (to actually get the key) it goes to nowhere and you don't get the 
private key.

If you didn't back up the private key then you will need to generate a new 
key pair and get a new certificate, then replace the current one with the new 
one.
If you backed up the cert with the private key you would just have to delete 
the cert and import back from the backup.

Is this cert is yours? (I mean the user logged in?) Did you forcibly change 
the password of this user (not via change password as the user but via User 
Management console)? In the latter case a lot of crypto stuff for the user is 
lost - including private keys.

Laszlo Elteto
SafeNet, Inc.

"Ladislav Dudáš" wrote:

> Hi All,
> 
> I have one specifiec problem with certificates and signing a document. In my 
> computer i have one certificate (originaly with private key), but now 
> container for certificate is missing (i don't know why, but this is not 
> problem). If i view certificate in IE, it say that i have private key to this 
> certificate, but if i want export certificate with private key, wizard give 
> me the message, that container for private key is missing. If i want sign 
> message using CryptSignMessage with this certificate, i can get error 
> NTE_BAD_KEYSET.
> 
> I want to find solution, how to get information, if private key that 
> correspondent to certificate is valid or not. I tried to use function 
> CryptAcquireCertificatePrivateKey, but function says for this certificate, 
> that have private key, but not verify if exists. Is possible to verify 
> existence of private key? I think yes, because wizard to export certificate 
> knowns this.
> 
> - Laco.
date: Mon, 9 Jun 2008 13:08:00 -0700   author:   lelteto

RE: Certificate with missing private key    
Thanks you for answer, this explains me why CryptAcquireCertificatePrivateKey 
doesn't work. But is function in SDK to check if private key exists, not only 
link to it? 

- Laco.

"lelteto" wrote:

> I guess you really lost the private key for the cert - but the link to it was 
> not deleted. Note that some Windows components will just check if there is a 
> link and report that you have the cert - but, as you found, when the link is 
> followed (to actually get the key) it goes to nowhere and you don't get the 
> private key.
> 
> If you didn't back up the private key then you will need to generate a new 
> key pair and get a new certificate, then replace the current one with the new 
> one.
> If you backed up the cert with the private key you would just have to delete 
> the cert and import back from the backup.
> 
> Is this cert is yours? (I mean the user logged in?) Did you forcibly change 
> the password of this user (not via change password as the user but via User 
> Management console)? In the latter case a lot of crypto stuff for the user is 
> lost - including private keys.
> 
> Laszlo Elteto
> SafeNet, Inc.
> 
> "Ladislav Dudáš" wrote:
> 
> > Hi All,
> > 
> > I have one specifiec problem with certificates and signing a document. In my 
> > computer i have one certificate (originaly with private key), but now 
> > container for certificate is missing (i don't know why, but this is not 
> > problem). If i view certificate in IE, it say that i have private key to this 
> > certificate, but if i want export certificate with private key, wizard give 
> > me the message, that container for private key is missing. If i want sign 
> > message using CryptSignMessage with this certificate, i can get error 
> > NTE_BAD_KEYSET.
> > 
> > I want to find solution, how to get information, if private key that 
> > correspondent to certificate is valid or not. I tried to use function 
> > CryptAcquireCertificatePrivateKey, but function says for this certificate, 
> > that have private key, but not verify if exists. Is possible to verify 
> > existence of private key? I think yes, because wizard to export certificate 
> > knowns this.
> > 
> > - Laco.
date: Mon, 9 Jun 2008 21:52:00 -0700   author:   Ladislav Dudáš

RE: Certificate with missing private key    
After you call CryptAcquireCertificatePrivateKey try calling CryptGetUserKey 
with the returned hCryptProv and dwKeySpec, then try to USE the key (if these 
succeed). However, if the private key is password protected, you may get a 
GUI PROMPT. Don't have better idea.

Laszlo Elteto
SafeNet, Inc.

"Ladislav Dudáš" wrote:

> Thanks you for answer, this explains me why CryptAcquireCertificatePrivateKey 
> doesn't work. But is function in SDK to check if private key exists, not only 
> link to it? 
> 
> - Laco.
> 
> "lelteto" wrote:
> 
> > I guess you really lost the private key for the cert - but the link to it was 
> > not deleted. Note that some Windows components will just check if there is a 
> > link and report that you have the cert - but, as you found, when the link is 
> > followed (to actually get the key) it goes to nowhere and you don't get the 
> > private key.
> > 
> > If you didn't back up the private key then you will need to generate a new 
> > key pair and get a new certificate, then replace the current one with the new 
> > one.
> > If you backed up the cert with the private key you would just have to delete 
> > the cert and import back from the backup.
> > 
> > Is this cert is yours? (I mean the user logged in?) Did you forcibly change 
> > the password of this user (not via change password as the user but via User 
> > Management console)? In the latter case a lot of crypto stuff for the user is 
> > lost - including private keys.
> > 
> > Laszlo Elteto
> > SafeNet, Inc.
> > 
> > "Ladislav Dudáš" wrote:
> > 
> > > Hi All,
> > > 
> > > I have one specifiec problem with certificates and signing a document. In my 
> > > computer i have one certificate (originaly with private key), but now 
> > > container for certificate is missing (i don't know why, but this is not 
> > > problem). If i view certificate in IE, it say that i have private key to this 
> > > certificate, but if i want export certificate with private key, wizard give 
> > > me the message, that container for private key is missing. If i want sign 
> > > message using CryptSignMessage with this certificate, i can get error 
> > > NTE_BAD_KEYSET.
> > > 
> > > I want to find solution, how to get information, if private key that 
> > > correspondent to certificate is valid or not. I tried to use function 
> > > CryptAcquireCertificatePrivateKey, but function says for this certificate, 
> > > that have private key, but not verify if exists. Is possible to verify 
> > > existence of private key? I think yes, because wizard to export certificate 
> > > knowns this.
> > > 
> > > - Laco.
date: Tue, 10 Jun 2008 08:36:05 -0700   author:   lelteto

RE: Certificate with missing private key    
Thank you,

Works fine now, CryptGetUserKey return FALSE for certificate with missing 
private key.

- Laco.

"lelteto" wrote:

> After you call CryptAcquireCertificatePrivateKey try calling CryptGetUserKey 
> with the returned hCryptProv and dwKeySpec, then try to USE the key (if these 
> succeed). However, if the private key is password protected, you may get a 
> GUI PROMPT. Don't have better idea.
> 
> Laszlo Elteto
> SafeNet, Inc.
> 
> "Ladislav Dudáš" wrote:
> 
> > Thanks you for answer, this explains me why CryptAcquireCertificatePrivateKey 
> > doesn't work. But is function in SDK to check if private key exists, not only 
> > link to it? 
> > 
> > - Laco.
> > 
> > "lelteto" wrote:
> > 
> > > I guess you really lost the private key for the cert - but the link to it was 
> > > not deleted. Note that some Windows components will just check if there is a 
> > > link and report that you have the cert - but, as you found, when the link is 
> > > followed (to actually get the key) it goes to nowhere and you don't get the 
> > > private key.
> > > 
> > > If you didn't back up the private key then you will need to generate a new 
> > > key pair and get a new certificate, then replace the current one with the new 
> > > one.
> > > If you backed up the cert with the private key you would just have to delete 
> > > the cert and import back from the backup.
> > > 
> > > Is this cert is yours? (I mean the user logged in?) Did you forcibly change 
> > > the password of this user (not via change password as the user but via User 
> > > Management console)? In the latter case a lot of crypto stuff for the user is 
> > > lost - including private keys.
> > > 
> > > Laszlo Elteto
> > > SafeNet, Inc.
> > > 
> > > "Ladislav Dudáš" wrote:
> > > 
> > > > Hi All,
> > > > 
> > > > I have one specifiec problem with certificates and signing a document. In my 
> > > > computer i have one certificate (originaly with private key), but now 
> > > > container for certificate is missing (i don't know why, but this is not 
> > > > problem). If i view certificate in IE, it say that i have private key to this 
> > > > certificate, but if i want export certificate with private key, wizard give 
> > > > me the message, that container for private key is missing. If i want sign 
> > > > message using CryptSignMessage with this certificate, i can get error 
> > > > NTE_BAD_KEYSET.
> > > > 
> > > > I want to find solution, how to get information, if private key that 
> > > > correspondent to certificate is valid or not. I tried to use function 
> > > > CryptAcquireCertificatePrivateKey, but function says for this certificate, 
> > > > that have private key, but not verify if exists. Is possible to verify 
> > > > existence of private key? I think yes, because wizard to export certificate 
> > > > knowns this.
> > > > 
> > > > - Laco.
date: Tue, 10 Jun 2008 12:15:03 -0700   author:   Ladislav Dudáš

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us