EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Sharing Private Key using Secure Black Box

Posted: 10/11/2007 06:12:11
by Anand Parthasarathi (Basic support level)
Joined: 10/11/2007
Posts: 1

In our application we are trying to use a single certificate for authenticating several ASP.NET sites in the same server.

We are adding the certificate to Local Computer Store. The sites are impersonating using different users but on the same machine.By assigning proper registry access we are able to add the certificate to Local Computer Store. But when the second site is trying to add the certificate to its transaction, its unable to do so. Also in the Certificate store when we try to export the installed Certificate,MMC console is not having the option enabled for exporting Private key.

The certificate is added to the store using winCertStorage.Add(X509Certificate cert,string storename, bool copyPrivateKey,bool exportaable, bool protected)
Is there any parameter to be specified to have the Certificate's private key shared. So that if the certificate is added to the local computer store any user in that machine can have full access on the certificate.

Kindly clarify ASAP.
Posted: 10/12/2007 01:20:20
by Ken Ivanov (Team)

CryptoAPI supports so-called non-exportable private keys. This means that you can perform operations with private key, but you cannot export it. Disabled 'export private key' option in MMC may have two different reasons: (a) the private key was imported as non-exportable, (b) the private key was not imported at all. The presense of private key can be checked by the label on 'General' tab of Windows certificate properties dialog.

Please use the parameters of TElWinCertStorage.Add() method to configure the import process:
(a) CopyPrivateKey -- specifies if the private key should be imported,
(b) Exportable -- specifies if the private key should be imported as exportable,
© Protected -- specifies if extra protection level should be used for the private key (either dialog window alert or password-based protection).

But when the second site is trying to add the certificate to its transaction, its unable to do so.

Would you be so kind to provide us more details about this -- i.e., is some exception thrown/error returned/something else?
Posted: 10/14/2007 23:09:36
by sadanand G (Basic support level)
Joined: 10/12/2007
Posts: 9

we have two user account "User1" and "User2" who belongs to Users group dosent have Admin rights.
we have a .Net application through which we creating self signed certificate (with private key) with an impersonated user "User1", we are adding this certificate to Local compute's "Personal" and "Trusted Root" stores using the impersonated user "user1". we are able to communicate with the external application through the impersonated user "User1". when we try to communicate with external application with the other impersonated user "User2" communication fails.
we debug the application to see what are the certificate(self signed cert) details that is been sent for communication.
with User1 who installed the certificate to Local compute's "Personal" and "Trusted Root" stores can see all the details including property "PrivateKeyExists" is set to "TRUE". with User2 property "PrivateKeyExists" is set to "FALSE" and some of the details has error messages (Time Out).
our concern is, when we generate a self signed certificate(with private key) by an user "USer1" and add to certificate stores, can other user will able to access the private key. or is there a way to share the certificate with all details including Private Key with other user(s) or do you find any issue with the way we are storing certifates to the store (please find the code snippet for your analysis).

your help is greatly appriciated.

[code] cert.Generate(this.m_bytSignatureAlgorithm, this.m_usPublicKeyLength);
TElWinCertStorage.Add(cert, "ROOT", false, false, false);
TElWinCertStorage.Add(cert, "MY", true, true, false);

Posted: 10/15/2007 04:24:01
by Ken Ivanov (Team)

It seems that User2 does not have enough rights to access the local machine store. Please see the following conversation and check if it is applicable to your situation.
Posted: 10/15/2007 05:24:57
by sadanand G (Basic support level)
Joined: 10/12/2007
Posts: 9

User1 and User2 both has full control permission to registry "SystemCertificates" folder.
Posted: 10/15/2007 05:37:40
by Ken Ivanov (Team)

Please note, that your code imports the private key into the 'MY' store only (it is not imported to the 'ROOT' store by your code). Please check that User2 also tries to access the private key for the certificate contained in the 'MY' store.
Posted: 10/15/2007 05:47:36
by sadanand G (Basic support level)
Joined: 10/12/2007
Posts: 9

our code is not hard coded for USer1 and User2 it is same for both users and we are changing the impersonated user from a configuration file.
Posted: 10/15/2007 05:54:37
by Ken Ivanov (Team)

It does not matter -- please check that you trying to get the private key for the right certificate (i.e., the one imported to the MY store).
Posted: 10/15/2007 06:02:10
by sadanand G (Basic support level)
Joined: 10/12/2007
Posts: 9

please find the code
TElWinCertStorage winCertStorage = new TElWinCertStorage();
winCertStorage.AccessType = SBWinCertStorage.TSBStorageAccessType.atLocalMachine;
SBX509.TElX509Certificate cert = null;
cert = winCertStorage.get_Certificates(i);
"i" is the index of the certificate that i added, i verified it by the common Name.
Posted: 10/15/2007 06:18:27
by Ken Ivanov (Team)

Please specify the following parameters of your environment so that we could try to reproduce the issue:
(a) operating system version,
(b) .NET framework version,
© SBB version.



Topic viewed 8896 times

Number of guests: 2, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!