Unable to display Notification Server certificates on Certificate Management page: Failed to process master certificate loading.
search cancel

Unable to display Notification Server certificates on Certificate Management page: Failed to process master certificate loading.

book

Article ID: 275455

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite

Issue/Introduction

While trying to review the available certificates used by the Notification Server under Certificate Management (Settings > All Settings > Notification Server), the page can't load.
This started happening after migrating to a new SMP Server while still using the same FQDN as the previous one.

The following errors are displayed on the NS logs:

Entry 1:

HTTP Request failed:
 /Altiris/NS/Admin/Configuration/CertificateManagementPage.aspx?ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&ParentGuid=00000000-0000-0000-0000-000000000000&TreeGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ItemGuid=bff56118-7fb8-418b-b4b4-1a46f22c9d7c&itemType=Report&Url=http%3a%2f%2SMPSERVER.example.net%2fAltiris%2fConsole%2ftree.aspx%3fViewGuid%3da57fb0e9-0676-4e00-929a-6bb37dc1f888%26itemType%3dReport%26%26ConsoleGuid%3d1b22db4e-a898-443f-9b99-855b1653d3f5&Cart_grdCertUsage_CAGrid_Callback=yes


Key not valid for use in specified state.
   [System.Security.Cryptography.CryptographicException @ mscorlib]
   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)
   at System.Security.Cryptography.X509Certificates.X509Certificate.ExportHelper(X509ContentType contentType, Object password)
   at Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.LoadMasterCertificate(X509Certificate2 masterCertificate, IntPtr& pAuthorityKeyID, UInt32& issuerKeyType)
   at Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.GenerateCertificate()
   at Altiris.NS.Security.Cryptography.CertificateManager.IssueCertificate(X500DistinguishedName subject, String scope, CertificateUsageFlags certificateUsage, AsymmetricAlgorithm publicKey, String caName, DateTime expiryTime, X509Certificate2 signingCert, String sAlternateNames)

...

HTTP [POST]: http://SMPSERVER.example.net/Altiris/NS/Admin/Configuration/CertificateManagementPage.aspx?ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&ParentGuid=00000000-0000-0000-0000-000000000000&TreeGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ItemGuid=bff56118-7fb8-418b-b4b4-1a46f22c9d7c&itemType=Report&Url=http://SMPSERVER.example.net/Altiris/Console/tree.aspx?ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&itemType=Report&&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&Cart_grdCertUsage_CAGrid_Callback=yes
 ip: [::1]; languages: [en-US,en;q=0.9]; content-length: [391];
 timings: [[D] 00:00:00.0273015(R: 00:00:00.0262973, W: 00:00:00.0010042)];
 response: [200 OK]; x-smp-nsversion: [8.6.4286.0];

-----------------------------------------------------------------------------------------------------
Date: 10/23/2023 5:34:29 AM, Tick Count: 2518609 (00:41:58.6090000), Size: 7.66 KB
Process: w3wp (6140), Thread ID: 314, Module: w3wp.exe
Priority: 1, Source: WebApplication

Entry 2:

Failed to process web request.

Exception of type 'System.Web.HttpUnhandledException' was thrown.
   [System.Web.HttpUnhandledException @ System.Web]
   at System.Web.UI.Page.HandleError(Exception e)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at Altiris.NS.UI.Controls.PageCachePage.ProcessRequest(HttpContext context)
   at Altiris.NS.UI.AltirisPage.ProcessRequest(HttpContext context)

Key not valid for use in specified state.
   [System.Security.Cryptography.CryptographicException @ mscorlib]
   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)
   at System.Security.Cryptography.X509Certificates.X509Certificate.ExportHelper(X509ContentType contentType, Object password)
   at Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.LoadMasterCertificate(X509Certificate2 masterCertificate, IntPtr& pAuthorityKeyID, UInt32& issuerKeyType)
   at Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.GenerateCertificate()
   at Altiris.NS.Security.Cryptography.CertificateManager.IssueCertificate(X500DistinguishedName subject, String scope, CertificateUsageFlags certificateUsage, AsymmetricAlgorithm publicKey, String caName, DateTime expiryTime, X509Certificate2 signingCert, String sAlternateNames)
   at Altiris.NS.StandardItems.CertificateConfiguration.NSCertificateConfigurationItem.GenerateSmaPortalCertificate()

...

HTTP [POST]: http://SMPSERVER.example.net/Altiris/NS/Admin/Configuration/CertificateManagementPage.aspx?ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&ParentGuid=00000000-0000-0000-0000-000000000000&TreeGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ItemGuid=bff56118-7fb8-418b-b4b4-1a46f22c9d7c&itemType=Report&Url=http://SMPSERVER.example.net/Altiris/Console/tree.aspx?ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&itemType=Report&&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&Cart_grdCertUsage_CAGrid_Callback=yes
 ip: [::1]; languages: [en-US,en;q=0.9]; content-length: [391];
 timings: [[D] 00:00:00.0273015(R: 00:00:00.0262973, W: 00:00:00.0010042)];
 response: [200 OK]; x-smp-nsversion: [8.6.4286.0];

-----------------------------------------------------------------------------------------------------
Date: 10/23/2023 5:34:29 AM, Tick Count: 2518609 (00:41:58.6090000), Size: 7.91 KB
Process: w3wp (6140), Thread ID: 314, Module: Altiris.NS.UI.dll
Priority: 1, Source: Altiris.NS.UI.AltirisPage.ProcessRequest

Entry 3:

Failed to execute certificate command for point: 'SmaProxyCert' (0x0, Empty)

Key not valid for use in specified state.
   [System.Security.Cryptography.CryptographicException @ mscorlib]
   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)
   at System.Security.Cryptography.X509Certificates.X509Certificate.ExportHelper(X509ContentType contentType, Object password)
   at Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.LoadMasterCertificate(X509Certificate2 masterCertificate, IntPtr& pAuthorityKeyID, UInt32& issuerKeyType)
   at Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.GenerateCertificate()
   at Altiris.NS.Security.Cryptography.CertificateManager.IssueCertificate(X500DistinguishedName subject, String scope, CertificateUsageFlags certificateUsage, AsymmetricAlgorithm publicKey, String caName, DateTime expiryTime, X509Certificate2 signingCert, String sAlternateNames)
   at Altiris.NS.StandardItems.CertificateConfiguration.NSCertificateConfigurationItem.GenerateSmaPortalCertificate()
   at Altiris.NS.StandardItems.CertificateConfiguration.NsCertConfig.SmaProxyExecute(NsCertConfigPoint me, EConfigCommand cmd, Object arg, Int32& changes)
   at Altiris.NS.StandardItems.CertificateConfiguration.NsCertConfig.NsCertConfigPoint.Execute(EConfigCommand cmd, Object arg, Int32& changes)
   at Altiris.NS.StandardItems.CertificateConfiguration.NsCertConfig.Execute(EConfigCommand cmd, Object arg, EConfigType types)

...

HTTP [POST]: http://SMPSERVER.example.net/Altiris/NS/Admin/Configuration/CertificateManagementPage.aspx?ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&ParentGuid=00000000-0000-0000-0000-000000000000&TreeGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ItemGuid=bff56118-7fb8-418b-b4b4-1a46f22c9d7c&itemType=Report&Url=http://SMPSERVER.example.net/Altiris/Console/tree.aspx?ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&itemType=Report&&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&Cart_grdCertUsage_CAGrid_Callback=yes
 ip: [::1]; languages: [en-US,en;q=0.9]; content-length: [391];
 timings: [[R] 00:00:00.0262973(W: 00:00:00.0010042)];
 response: [200 OK]; x-smp-nsversion: [8.6.4286.0];

-----------------------------------------------------------------------------------------------------
Date: 10/23/2023 5:34:29 AM, Tick Count: 2518609 (00:41:58.6090000), Size: 8.95 KB
Process: w3wp (6140), Thread ID: 314, Module: Altiris.NS.StandardItems.dll
Priority: 1, Source: Altiris.NS.StandardItems.CertificateConfiguration.NsCertConfig.Execute

Entry 4:

Failed to generate certificate

Key not valid for use in specified state.
   [System.Security.Cryptography.CryptographicException @ mscorlib]
   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)
   at System.Security.Cryptography.X509Certificates.X509Certificate.ExportHelper(X509ContentType contentType, Object password)
   at Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.LoadMasterCertificate(X509Certificate2 masterCertificate, IntPtr& pAuthorityKeyID, UInt32& issuerKeyType)
   at Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.GenerateCertificate()

...

HTTP [POST]: http://SMPSERVER.example.net/Altiris/NS/Admin/Configuration/CertificateManagementPage.aspx?ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&ParentGuid=00000000-0000-0000-0000-000000000000&TreeGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ItemGuid=bff56118-7fb8-418b-b4b4-1a46f22c9d7c&itemType=Report&Url=http://SMPSERVER.example.net/Altiris/Console/tree.aspx?ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&itemType=Report&&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&Cart_grdCertUsage_CAGrid_Callback=yes
 ip: [::1]; languages: [en-US,en;q=0.9]; content-length: [391];
 timings: [[R] 00:00:00.0262973(W: 00:00:00.0010042)];
 response: [200 OK]; x-smp-nsversion: [8.6.4286.0];

-----------------------------------------------------------------------------------------------------
Date: 10/23/2023 5:34:29 AM, Tick Count: 2518609 (00:41:58.6090000), Size: 9.09 KB
Process: w3wp (6140), Thread ID: 314, Module: Altiris.NS.dll
Priority: 1, Source: Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.GenerateCertificate
File: C:\ProgramData\Symantec\SMP\Logs\a.log


Entry 5:


Failed to process master certificate loading.

Key not valid for use in specified state.
   [System.Security.Cryptography.CryptographicException @ mscorlib]
   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)
   at System.Security.Cryptography.X509Certificates.X509Certificate.ExportHelper(X509ContentType contentType, Object password)
   at Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.LoadMasterCertificate(X509Certificate2 masterCertificate, IntPtr& pAuthorityKeyID, UInt32& issuerKeyType)

...

HTTP [POST]: http://SMPSERVER.example.net/Altiris/NS/Admin/Configuration/CertificateManagementPage.aspx?ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&ParentGuid=00000000-0000-0000-0000-000000000000&TreeGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&ItemGuid=bff56118-7fb8-418b-b4b4-1a46f22c9d7c&itemType=Report&Url=http://SMPSERVER.example.net/Altiris/Console/tree.aspx?ViewGuid=a57fb0e9-0676-4e00-929a-6bb37dc1f888&itemType=Report&&ConsoleGuid=1b22db4e-a898-443f-9b99-855b1653d3f5&Cart_grdCertUsage_CAGrid_Callback=yes
 ip: [::1]; languages: [en-US,en;q=0.9]; content-length: [391];
 timings: [[R] 00:00:00.0262973(W: 00:00:00.0010042)];
 response: [200 OK]; x-smp-nsversion: [8.6.4286.0];

-----------------------------------------------------------------------------------------------------
Date: 10/23/2023 5:34:29 AM, Tick Count: 2518609 (00:41:58.6090000), Size: 9.19 KB
Process: w3wp (6140), Thread ID: 314, Module: Altiris.NS.dll
Priority: 1, Source: Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.LoadMasterCertificate

Entry 6:


Failed to get certificate details for resource: 168c1b29-4adf-4c0c-85c4-590f42e9dc58, port=443, thumb=XXXXXXXXXX0C6492BEC8029C9D1D7FB49CBA7BE0, cert=XXXXXXXX-bd5f-470b-8d4c-c8a80b4dffd6

The given key was not present in the dictionary.
   [System.Collections.Generic.KeyNotFoundException @ mscorlib]
   at System.ThrowHelper.ThrowKeyNotFoundException()
   at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
   at Altiris.NS.StandardItems.CertificateConfiguration.CertificateConfigurationManager.GetCertificateDescriptionString(Guid guidResource, Int32 port, String thumbprint)
   at Altiris.NS.StandardItems.CertificateConfiguration.NSCertificateConfigurationItem.GetCertificateDetails(Guid guidResource, Int32 nPort, Guid guidCertificate, String thumbprint)
   at Altiris.NS.StandardItems.CertificateConfiguration.NSCertificateConfigurationItem.GetDetails(Guid itemGuid, NameValueCollection nvc)

...

HTTP [GET]: http://SMPSERVER.example.net/Altiris/NS/GetItemDetails.aspx?ItemGuid=4c944c8d-bd5f-470b-8d4c-c8a80b4dffd6&ResourceGuid=168c1b29-4adf-4c0c-85c4-590f42e9dc58&Port=443&Thumbprint=XXXXXXXXXX0C6492BEC8029C9D1D7FB49CBA7BE0&DetailsProvider=XXXXXXXX-078a-47dc-9928-23cb833145d0
 ip: [::1]; languages: [en-US,en;q=0.9];
 timings: [[R] 00:00:00(W: 00:00:00)];
 response: [200 OK]; x-smp-nsversion: [8.6.4286.0];

-----------------------------------------------------------------------------------------------------
Date: 10/23/2023 5:54:15 AM, Tick Count: 3704125 (01:01:44.1250000), Size: 3.20 KB
Process: w3wp (6140), Thread ID: 183, Module: Altiris.NS.StandardItems.dll
Priority: 1, Source: Altiris.NS.StandardItems.CertificateConfiguration.NSCertificateConfigurationItem.GetDetails

 

Environment

ITMS 8.x

Cause

The previous Server CA, Agent CA, and SMP Server certificate were not exported properly from the previous SMP Server.

During installation installation of the SMP a Server CA and Agent CA certificates are created.  You can see it by loading the Microsoft Management Console with the certificate snap-in and looking in the trusted root certificate folder.   The name will be "SMP-FQDN name of your Server Agent (Server) CA".  Example: SMP-Symantec01.example.com Agent CA.  The Microsoft Management console was used to export this file for backup.  When the certificate was restored it was imported with the Microsoft Management Console and the certificate snap-in.  The default import marks the key as not exportable.   If you import the key and don't mark it as exportable you will receive the error when trying to load the information from these certificates on Certificate Management page.

Resolution

Re-import the the Agent CA certificate with the Microsoft Management Console certificate snap-in, and ensure to flag the certificate as exportable: "Mark this key as exportable".  

  1. While exporting the original certificates from the previous SMP Server, make sure the following settings are used:




  2. While importing the certificates, make sure to use "Mark this key as exportable":

 

 

 

Powered by Wolken Software