ComponentSpace

Forums



SAML - Keyset does not exist on Certificate Manager cert


SAML - Keyset does not exist on Certificate Manager cert

Author
Message
yannis
yannis
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Awaiting Activation
Posts: 5, Visits: 13
Hi all,

We have been using component space in production for a long time. Great software!

We are now at a point where our certificate in production is going to expire soon and we need to replace it with a new one. That certificate is used by a componentspace configuration as follows.

What we did is that we imported the new certificate. At first we got an error that the "*.domain.com certificate already exists" or something. We removed the old certificate and then we got a "Keyset does not exist".

We weren't able to figure it out so we removed the new certificate and imported back the old one which fixed the problem for now but we still need to sort it out as the certificate will expire soon. Any ideas?

"LocalServiceProviderConfiguration": {
  "Name": "someid",
  "Description": "Service1",
  "AssertionConsumerServiceUrl": "https://subdomain.domain.com/login/saml",
  "SingleLogoutServiceUrl": "https://subdomain.domain.com/logout/saml",
  "LocalCertificates": [{
   "SubjectName": "*.domain.com"
  }]
},
"PartnerIdentityProviderConfigurations": [{
  "Name": "https://external.com",
  "Description": "DESC",
  "SignAuthnRequest": true,
  "SignLogoutRequest": true,
  "SignLogoutResponse": true,
  "DisableInResponseToCheck": true,
  "SingleSignOnServiceUrl": "https://external.com",
  "SingleLogoutServiceUrl": "https://external.com",
  "PartnerCertificates": [{
   "FileName": "bootstrapping/subsystems/saml/certificates/CERT.cer"
  }]
}]
}




ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Does the new certificate include a private key?

Have you set the permissions correctly for the private key?



Regards
ComponentSpace Development
yannis
yannis
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Awaiting Activation
Posts: 5, Visits: 13
ComponentSpace - 3/12/2021
Does the new certificate include a private key?

Have you set the permissions correctly for the private key?


Hey - Thanks for your quick response!

There is a private key on the cert. How do we set the permissions correctly since its just an import on certificate manager?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You can set the permissions using the Certificates MMC snap-in. As an experiment, I suggest giving the "Everyone" group read permission. If that works, limit the permissions to only the account or group that your app runs under.

I've copied the following from the Certificate Guide.

https://www.componentspace.com/Forums/8238/Certificate-Guide

Private Key Permissions
Private keys are protected by permissions. To use the private key, a process must have read permission.
To set permissions, select the certificate and, from the main menu, select Action > All Tasks > Manage Private Keys.
A dialog showing the current permissions is displayed.
For applications hosted in IIS, it’s recommended that the IIS_IUSRS group be given read permission.
If the application is running under an application pool whose account is not in this group, the
permissions will have to be set explicitly for this account. The user or group to permit is dependent on the version of IIS and its configuration.


Regards
ComponentSpace Development
yannis
yannis
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Awaiting Activation
Posts: 5, Visits: 13
ComponentSpace - 3/12/2021
You can set the permissions using the Certificates MMC snap-in. As an experiment, I suggest giving the "Everyone" group read permission. If that works, limit the permissions to only the account or group that your app runs under.

I've copied the following from the Certificate Guide.

https://www.componentspace.com/Forums/8238/Certificate-Guide

Private Key Permissions
Private keys are protected by permissions. To use the private key, a process must have read permission.
To set permissions, select the certificate and, from the main menu, select Action > All Tasks > Manage Private Keys.
A dialog showing the current permissions is displayed.
For applications hosted in IIS, it’s recommended that the IIS_IUSRS group be given read permission.
If the application is running under an application pool whose account is not in this group, the
permissions will have to be set explicitly for this account. The user or group to permit is dependent on the version of IIS and its configuration.

Thank you so much - Will give it a shot. But how did the old certificate work after re-importing it then? 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I'm not sure. I suggest taking a look at old certificate's private key permissions in the Certificates snap-in for comparison.

Let me know how you go. Thanks.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search