Not able to set subordinate certificate to export private key.
novetbstewart opened this issue · 2 comments
The CA certificate contains a private key. But the SSL certificate doesn't have one. Which means it's not importable to IIS.
I took a look through the code and it's way too convoluted for me to figure out how to set it. I've tried every flag and every trick i know to get the private key out.
Please advise.
Did you manage to solve the problem with lack of private key in signed cert?
I have another problem when I try to use CA created in XCA. I get the error "Keysets does not exist" when calling CryptSignAndEncodeCertificate.
Is there anybody who can help me to find the solution? I tried many settings, nothing helped. When I compare CA created in app and CA created in XCA, I notice that Key provider is different ("RSA-PKCS1-KeyEx", not "Microsoft Enhanced RSA and AES Cryptographic Provider") but cannot set the same in app :/
There's a fair bit of information missing from this so it's a little difficult to provide specific answers. The code lazily assumes you're generating a subordinate certificate at the time of signing, so it has a private key with it. You need to reassociate the keys if you're signing the subordinate without the private key because it's stored elsewhere or going through some other process. You can do this by taking the newly signed X509Certificate2 object and setting the PrivateKey property to whatever the original private key was, either via opening it from X509Store or importing from a PFX. You can then do whatever you want with that cert -- write to an X509Store or export to PFX. To do that you'd want to set the exportable flag CspProviderFlags.UseArchivableKey: https://msdn.microsoft.com/en-us/library/system.security.cryptography.cspproviderflags(v=vs.110).aspx
If the CA bit cannot find the private key then either it's genuinely not there, or it's using a key provider that is incompatible with the existing providers. It tries to open the CA private key provider here using the pwszProvName field: https://github.com/SteveSyfuhs/Crypto/blob/master/KeyGenSigning/CertLib/CertificateSigner.cs#L56
You might try exporting/reimporting the key. That might re-import using one of the known providers.