ComponentSpace

Forums



SHA-256 and Converting the Cryptographic Service Provider Type


SHA-256 and Converting the Cryptographic Service Provider Type

Author
Message
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K

Checking the Cryptographic Service Provider
SHA-256, SHA-384 and SHA-512 XML signatures require the Microsoft Enhanced RSA and AES Cryptographic Provider.
SHA-256 and Cryptographic Service Provider Types

This can be checked using Microsoft's CertUtil.exe.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil


certutil -dump idp.pfx
Enter PFX password:
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 74f0ebfe22358db8433138f9558c9af9
Issuer: CN=www.idp.com
NotBefore: 22/11/2013 6:20 PM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=www.idp.com
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): a6 a4 ae 4e 0b 37 8e c7 36 78 e5 81 26 90 af 50 e3 ec 37 69
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -dump command completed successfully.


The above private key specifies the correct provider and so may be used to generate SHA-256, SHA-384 and SHA-512 XML signatures.
If the private key isn't associated with the correct Cryptographic Service Provider (CSP), it can be converted to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.
NB. The conversion does not modify the public or private key values or any other information apart from the CSP to use.
NB. It's safe to perform this conversion on self-signed as well as certificate authority issued certificate files.
Two option are listed for performing the conversion: CertUtil and OpenSSL. We recommend using CertUtil.

CertUtil
Dump the PFX file noting the certificate's serial number.


certutil.exe -p password -dump test.pfx

================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 3ddc6dbd5f1321bd4655ac8841875bfb
Issuer: CN=test
NotBefore: 4/06/2020 10:45 AM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=test
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fecf3e3a28ca80248ca76c1870cb36130d9b9def
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Software Key Storage Provider
Private key is NOT plain text exportable
Encryption test passed
CertUtil: -dump command completed successfully.



Import the PFX file into the Windows certificate store, specifying the cryptographic service provider.


certutil.exe -p password -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importPFX test.pfx

Certificate "test" added to store.
CertUtil: -importPFX command completed successfully.



Export the certificate and private key from the Windows certificate store to a PFX file. The certificate is identified by its serial number.


certutil.exe -p password -exportPFX 3ddc6dbd5f1321bd4655ac8841875bfb new.pfx NoChain,ExtendedProperties

MY "Personal"
================ Certificate 2 ================
Serial Number: 3ddc6dbd5f1321bd4655ac8841875bfb
Issuer: CN=test
NotBefore: 4/06/2020 10:45 AM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=test
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fecf3e3a28ca80248ca76c1870cb36130d9b9def
Key Container = test-21a25909-b8af-4883-a423-33f17871b48d
Unique container name: b067db77931cffe3810d1d2d8bb2062d_9ee80830-26bf-4602-b6a8-a0b873b2c8bb
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -exportPFX command completed successfully.



 Dump the PFX file again to confirm the correct cryptographic service provider is now specified.


certutil -p password -dump new.pfx

================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 3ddc6dbd5f1321bd4655ac8841875bfb
Issuer: CN=test
NotBefore: 4/06/2020 10:45 AM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=test
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fecf3e3a28ca80248ca76c1870cb36130d9b9def
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -dump command completed successfully.



Delete the certificate from the Windows certificate store as it's no longer required.


certutil.exe -delStore My 3ddc6dbd5f1321bd4655ac8841875bfb

My "Personal"
Deleting Certificate 2: CN=test:fecf3e3a28ca80248ca76c1870cb36130d9b9def
CertUtil: -delstore command completed successfully.



OpenSSL

Specifying the correct CSP may also be done using OpenSSL.
Windows binaries are available for download. Refer to the OpenSSL Wiki.
The latest 64-bit Windows non-light installer at Shining Light Productions OpenSSL Installers is recommended.
The following command outputs information about the private key and certificate including the CSP.

openssl pkcs12 -in idp.pfx

Enter Import Password:
MAC verified OK
Bag Attributes
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
    friendlyName: PvkTmp:b143944f-c289-4e3c-b9cc-37ce1e8ada19
Key Attributes
    X509v3 Key Usage: 10

Enter Ctrl+C a couple of times to get back to the command prompt.
 
The Microsoft Strong Cryptographic Provider is suitable for SHA-1 XML signatures but doesn't support SHA-256 XML signatures.
The PFX can be recreated specifying the required CSP.
Firstly, it must be converted from PKCS12 to PEM format.

set RANDFILE=.\openssl.rnd

openssl pkcs12 -in idp.pfx -out idp.pem

Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.

openssl pkcs12 -export -in idp.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

Loading 'screen' into random state - done
Enter pass phrase for idp.pem:
Enter Export Password:
Verifying - Enter Export Password:

The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512 XML signatures.



Regards
ComponentSpace Development
mmasood
mmasood
New Member
New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)

Group: Awaiting Activation
Posts: 31, Visits: 73
ComponentSpace - Saturday, July 18, 2015

SHA-256, SHA-384 and SHA-512 XML signatures require the Microsoft Enhanced RSA and AES Cryptographic Provider.
SHA-256 and Cryptographic Service Provider Types
If the private key isn't associated with the correct Cryptographic Service Provider (CSP), it can be converted to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.
One method to perform this conversion is to use OpenSSL.
Windows binaries are available for download. Refer to the OpenSSL Wiki.
The following command outputs information about the private key and certificate including the CSP.


openssl pkcs12 -in idp.pfx

Enter Import Password:
MAC verified OK
Bag Attributes
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
    friendlyName: PvkTmp:b143944f-c289-4e3c-b9cc-37ce1e8ada19
Key Attributes
    X509v3 Key Usage: 10
 
The Microsoft Strong Cryptographic Provider is suitable for SHA-1 XML signatures but doesn't support SHA-256 XML signatures.
The PFX can be recreated specifying the required CSP.
Firstly, it must be converted from PKCS12 to PEM format.

openssl pkcs12 -in idp.pfx -out idp.pem

Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.

openssl pkcs12 -export -in idp.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

Loading 'screen' into random state - done
Enter pass phrase for idp.pem:
Enter Export Password:
Verifying - Enter Export Password:

The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512 XML signatures.



Hi,

It is asking for PEM pass phrase. What should be the value?

Thanks,
Muhammad Masood
mmasood
mmasood
New Member
New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)New Member (39 reputation)

Group: Awaiting Activation
Posts: 31, Visits: 73
ComponentSpace - Saturday, July 18, 2015

SHA-256, SHA-384 and SHA-512 XML signatures require the Microsoft Enhanced RSA and AES Cryptographic Provider.
SHA-256 and Cryptographic Service Provider Types
If the private key isn't associated with the correct Cryptographic Service Provider (CSP), it can be converted to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.
One method to perform this conversion is to use OpenSSL.
Windows binaries are available for download. Refer to the OpenSSL Wiki.
The following command outputs information about the private key and certificate including the CSP.


openssl pkcs12 -in idp.pfx

Enter Import Password:
MAC verified OK
Bag Attributes
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
    friendlyName: PvkTmp:b143944f-c289-4e3c-b9cc-37ce1e8ada19
Key Attributes
    X509v3 Key Usage: 10
 
The Microsoft Strong Cryptographic Provider is suitable for SHA-1 XML signatures but doesn't support SHA-256 XML signatures.
The PFX can be recreated specifying the required CSP.
Firstly, it must be converted from PKCS12 to PEM format.

openssl pkcs12 -in idp.pfx -out idp.pem

Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.

openssl pkcs12 -export -in idp.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

Loading 'screen' into random state - done
Enter pass phrase for idp.pem:
Enter Export Password:
Verifying - Enter Export Password:

The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512 XML signatures.



Hi,

I followed the steps, but at last step where it generates from .pem to .pfx I am getting error like shown in below image:


I did exactly the same steps for my real .pfx file and getting the same error "unable to write random state".

Thanks,
Muhammad Masood
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
This is a file permission error.
You should find that the new PFX has been created and the error message may be ignored.
However, to avoid the warning you may either:
For the command prompt, select "Run as an administrator".
or
Set RANDFILE to a file path for which you have file permission (eg set RANDFILE=.\openssl.rnd) and then run the commands.

Regards
ComponentSpace Development
dokumenta
dokumenta
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 10, Visits: 29
Hello, 

I have pem file privkey.pem. Content of file is:

-----BEGIN PRIVATE KEY-----
XXX
-----END PRIVATE KEY-----

I run cmd as Administrator.

When I run this cmd:

openssl pkcs12 -export -in privkey.pem -out new.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

I get error:

unable to load certificates


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
If you run the following, does it dump out the certificate etc or display an error?

openssl x509 -in privkey.pem -text -noout

If an error is displayed then the file isn't the correct format.
Does the file include the private key?
The format should be something like the following.

-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

There may be bag attributes and key attributes also.

Regards
ComponentSpace Development
dokumenta
dokumenta
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 10, Visits: 29
ComponentSpace - Wednesday, August 31, 2016
If you run the following, does it dump out the certificate etc or display an error?

openssl x509 -in privkey.pem -text -noout

If an error is displayed then the file isn't the correct format.
Does the file include the private key?
The format should be something like the following.

-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

There may be bag attributes and key attributes also.

When I run openssl x509 -in privkey.pem -text -noout I get error:

unable to load certificate
7796:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:701:Expecting: TRUSTED CERTIFICATE


So I tried this. I have also *.pfx file so first I run this cmd:

openssl pkcs12 -in  cert.pfx -out  privkey.pem

Then ran openssl x509 -in privkey.pem -text -noout.

Output was:

Certificate:
  Data:
   Version: 3 (0x2)
   Serial Number:
    d1:fe:48:49:d0:6d:c3:e5
  Signature Algorithm: sha512WithRSAEncryption
   Issuer: CN=XXX
   Validity
    Not Before: Jun 22 07:51:41 2016 GMT
    Not After : Jun 22 07:51:41 2018 GMT
   Subject: CN=XXX
   Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
      Public-Key: (2048 bit)
      Modulus:
       00:b1:9f:53:0d:9e:ce:b4:9e:7b:35:39:7d:15:8c:
       6d:52:21:27:54:c9:71:15:46:ad:b4:a4:48:37:83:
       1f:8b:a2:32:f3:87:6f:bc:62:df:24:62:ad:dc:81:
       26:69:30:24:72:ac:8c:13:03:6a:6a:10:64:97:d5:
       7f:f2:3d:0f:4d:5f:89:d5:84:4e:fa:81:33:c0:13:
       01:5e:6a:ac:dd:be:63:20:07:72:56:1f:4b:73:d6:
       2b:de:74:30:ca:1e:f8:59:74:ad:af:36:6e:c2:2e:
       25:5e:87:e2:2f:f2:84:87:25:28:de:6a:e4:5b:82:
       24:27:7b:11:cf:6c:49:4d:d4:dd:31:f3:ef:22:cd:
       c7:5d:d7:8d:64:de:5f:d0:cd:13:cb:0a:32:f6:1a:
       f2:f5:87:bb:cb:6a:a6:51:ee:4d:a7:04:7d:f8:93:
       97:1e:45:cb:3d:c9:9b:49:c7:eb:99:20:c7:1e:f9:
       b7:ab:38:e0:18:af:9d:09:64:92:31:a6:dc:b5:ea:
       8c:63:15:68:32:7e:3c:9b:a4:4b:31:24:64:28:a5:
       e6:5f:2c:2e:41:d1:93:d7:e8:06:ee:9b:95:73:d4:
       ac:3e:18:6e:86:90:d0:25:5a:c2:29:19:c6:fa:14:
       0c:0e:04:0f:94:af:5c:52:8f:b6:c1:05:f6:1e:4e:
       2e:a1
      Exponent: 65537 (0x10001)
   X509v3 extensions:
    X509v3 Subject Key Identifier:
      E1:5A:D8:30:CC:C3:A6:65:6C:48:CC:DB:BF:A9:B9:44:77:3E:C5:DC
    X509v3 Authority Key Identifier:
      keyid:E1:5A:D8:30:CC:C3:A6:65:6C:48:CC:DB:BF:A9:B9:44:77:3E:C5:DC

    X509v3 Basic Constraints:
      CA:TRUE
  Signature Algorithm: sha512WithRSAEncryption
   15:53:ee:f6:dd:33:00:d9:b8:2f:53:cf:15:54:89:ab:ba:5f:
   56:4c:c0:44:26:6b:d8:5d:59:1e:8e:42:f5:ee:a2:9a:97:37:
   b6:ae:66:bc:15:1b:66:95:95:ae:a0:bd:ef:40:47:aa:57:2c:
   67:d2:a8:8b:e9:31:e2:e2:a8:21:ce:2b:82:19:ed:83:57:47:
   f5:b2:3c:46:b8:3b:da:a0:95:60:3f:60:0b:ee:26:17:e1:43:
   7c:dc:38:f4:aa:8e:63:78:61:b0:d4:88:98:c6:b9:2f:af:f3:
   8c:a8:ab:06:b9:ac:32:f5:53:ef:4b:fa:02:76:6c:06:17:c6:
   d1:77:d6:aa:99:cc:41:d4:8a:e9:d2:2d:96:6e:14:50:94:54:
   5a:9f:0a:d5:aa:b8:83:1c:28:75:31:68:b2:89:e7:80:2b:66:
   fc:1f:ed:2b:ff:1a:d6:be:5d:89:a0:81:f2:a3:de:a5:f4:4f:
   e9:9d:9f:88:ed:c2:53:79:30:90:c0:f4:ca:60:b0:85:40:83:
   02:c7:e7:31:f4:57:bc:13:c9:cf:07:7a:2b:dc:ab:c3:d5:26:
   5f:9d:d6:1c:d9:48:a0:13:41:ab:64:a4:31:97:95:2c:68:fe:
   e4:66:b9:3e:49:08:cc:dc:44:05:b5:93:90:f8:f6:10:d7:dd:
   50:74:0b:6e

Finnaly I ran this cmd:

openssl pkcs12 -export -in privkey.pem -out new.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

Finished with error:

unable to load private key
5024:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:701:Expecting: ANY PRIVATE KEY

I am now confuse because we use this cert.pfx in our system and we don’t have aby problem.

 Maybe I can send to you test certificates and you can try it becase I have no clue what is bad.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
If it's a test certificate, you're welcome to zip up the PFX file and send it along with the PFX file password to our support email address.
I'll try running the openssl commands and will let you know.

Regards
ComponentSpace Development
dokumenta
dokumenta
New Member
New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)New Member (11 reputation)

Group: Forum Members
Posts: 10, Visits: 29
ComponentSpace - Wednesday, August 31, 2016
If it's a test certificate, you're welcome to zip up the PFX file and send it along with the PFX file password to our support email address.
I'll try running the openssl commands and will let you know.

I sent email
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks. I get the same issue as you. I suspect there's something different about the format of these files.
I'll take a closer look at this as soon as I can.
However, you might be better to generate a new PFX file using makecert as described in our Developer Guide PDF.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search