Getting "Failed to detect certificate purpose" when adding a certificate to Certificate Management
Article ID: 195569
Updated On:
Products
Issue/Introduction
The customer is trying to replace his CEM self-signed certificate with his own. When he tries from the Certificate Management page, he is able to browse to the certificate, the UI shows that the certificate looks good but it is not added in the "Select Certificate" window.
The NS logs show the following entry:
Failed to detect certificate purpose.
Invalid provider type specified.
[System.Security.Cryptography.CryptographicException @ mscorlib]
at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at Altiris.Resource.StandardResources.DigitalCertificate.SetCertificatePrivateKey(X509Certificate2 certificateObject)
at Altiris.Resource.StandardResources.DigitalCertificate.Initialize()
at Altiris.Resource.StandardResources.DigitalCertificate.DetectCertificatePurposes(X509Certificate2 certificate, Boolean ignorePrivateKeyForChecks)
Exception logged from:
at Altiris.Resource.StandardResources.DigitalCertificate.DetectCertificatePurposes(System.Security.Cryptography.X509Certificates.X509Certificate2, Boolean)
at Altiris.NS.StandardItems.CertificateConfiguration.CertificateDetails..ctor(System.Security.Cryptography.X509Certificates.X509Certificate2, Boolean)
at Altiris.NS.UI.Admin.ClientManagement.Certificate.CertificateDetailsControl+CertificateDetailsProvider.GetCertificateDetails(System.Security.Cryptography.X509Certificates.X509Certificate2, Altiris.NS.UI.CertUtilities+LoadedCertificate+Type)
at Altiris.NS.UI.Admin.ClientManagement.dlgImportCertificate.AddRow(System.Data.DataTable, System.Security.Cryptography.X509Certificates.X509Certificate2, Altiris.NS.UI.CertUtilities+LoadedCertificate+Type)
at Altiris.NS.UI.Admin.ClientManagement.dlgImportCertificate.OnLoadFinished(Object, EventArgs)
at System.Web.UI.HtmlControls.HtmlInputButton.OnServerClick(EventArgs)
at System.Web.UI.Page.ProcessRequestMain(Boolean, Boolean)
at System.Web.UI.Page.ProcessRequest(Boolean, Boolean)
at System.Web.UI.Page.ProcessRequest()
at System.Web.UI.Page.ProcessRequest(System.Web.HttpContext)
at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(System.Web.HttpContext)
at Altiris.NS.UI.AltirisPage.ProcessRequest(System.Web.HttpContext)
at Altiris.NS.UI.Admin.ClientManagement.dlgImportCertificate.ProcessRequest(System.Web.HttpContext)
at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(System.Web.HttpApplication+IExecutionStep)
at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)
---------------------------------------
Date: 7/16/2020 12:32:23 PM, Tick Count: 799250187 (9.06:00:50.1870000), Size: 3.95 KB
Process: w3wp (19992), Thread ID: 138, Module: Altiris.Resource.dll
Priority: 1, Source: Altiris.Resource.StandardResources.DigitalCertificate.DetectCertificatePurposes
If I go to IIS Manager and change the binding to the new certificate, Certificate Management (under SMP Console>Settings>Notification Server) shows that it is now in use but shows this error status:
"No private key, or key is not exportable"
We know that the certificate has a private key and we are able to export the certificate with its private key using MMC.
Cause
The problem is with how the certificate was created. Certificate can be in CNG format while we work with legacy, RSA one.
This is a certificate with RSA key, but this is RSACng key. Currently we use .NET 4.5.1 while CNG support was implemented reliably for .NET 4.6.2. .NET 4.5.1 can't work with CNG crypto providers.
Environment
ITMS 8.5, 8.6
Resolution
We suggest to re-create the certificate using legacy key crypto providers.
You can try to convert your certicate from CNG to RSA as described here:
https://stackoverflow.com/questions/22581811/invalid-provider-type-specified-cryptographicexception-when-trying-to-load-pri
As mentioned in the article above (the conversation of your certificate is outside of our Support scope):
The suggested approach uses OpenSSL and two older tools to accomplish the private key conversion. Given MYCERT.pfx with private key password MYPWD in CNG format, these are the steps to get a new CONVERTED.pfx with private key in RSA format and same password:
- Extract public keys, full certificate chain:
OpenSSL pkcs12 -in "MYCERT.pfx" -nokeys -out "MYCERT.cer" -passin "pass:MYPWD"
- Extract private key:
OpenSSL pkcs12 -in "MYCERT.pfx" -nocerts –out “MYCERT.pem" -passin "pass:MYPWD" -passout "pass:MYPWD"
- Convert private key to RSA format:
OpenSSL rsa -inform PEM -in "MYCERT.pem" -out "MYCERT.rsa" -passin "pass:MYPWD" -passout "pass:MYPWD"
- Merge public keys with RSA private key to new PFX:
OpenSSL pkcs12 -export -in "MYCERT.cer" -inkey "MYCERT.rsa" -out "CONVERTED.pfx" -passin "pass:MYPWD" -passout "pass:MYPWD"
If you load the converted pfx or import it in the Windows certificate store instead of the CNG format pfx, the problem goes away.
Attachments
Feedback
