EFS does not accept a different encryption certificate

A

A.J. Breimer

Hi,

I have created a private certificate on my Vista installation (build 5384),
the certificate is suitable for EFS use.

When trying to use this certificate in EFS (via Make changes to your user
account,
the certificate can be selected, but when clicking OK, the system reports
that the "The keyset is not defined" and the certificate is not becoming
selected.

There is no entry in the event log for this failure.

Has someone a clue how this can be repaired?
 
G

Guest

Hi,

Don't shoot me for saying this, but is there a Certificates Management
feature like in previous versions (in mmc, if that exists)? Have you tried
importing the certificate into there and seeing if it is selectable then?
 
A

A.J. Breimer

Robin,

I created the certificate via the (Vista) mmc certificate snap-in. This
allows you to created an off-line request file which you send to a
Certificate Authority. After having this Authority signing the request, the
certificate is installed (in Vista).

Now you can select the certificate via Make changes to your user account,
(this works) but after clicking OK, the message "The keyset is not defined"
pops-up.

I have not figured out yet how to debug this situation.
 
G

Guest

The error indicates that your certificate is not associated with its private
key. It could be that it was not installed correctly. Try this: open a
command prompt to the directory where you have the certificate file that was
sent to you by the CA. Run this command: "certreq -accept <CertFile>" That
will install the certificate and associate it with the private key that's on
your system. Then run the EFS wizard again and select the certificate.
Hopefully, there will be no error this time. Let us know.

Thanks.
Pat
 
A

A.J. Breimer

Pat,

The command probably should be certreq -accept -user <CertFile>. This gives
however an error: Cannot find object or property. 0x80092004 (-2146885628)

I can use the certificate for signing email (it has extensions for email,
efs and client authentication)

Thanks, Bob Breimer
 
G

Guest

Since certreq is also failing, we suspect this may be a CSP issue. Can you
run "certutil -v -user -store my" at command prompt and in the output locate
the Provider name for your certificate. (You may also be able to identify
the provider by opening the certificate in certmgr and looking in the
details.) Then run regedit and check if that provider name is listed under
HKLM\Software\Microsoft\Cryptography\Defaults\Provider\.

Thanks.
Pat
 
A

A.J. Breimer

Pat, The output from certutil -v -user -store my is (for the certificate at
hand):

my
================ Certificate 0 ================
X509 Certificate:
Version: 3
Serial Number: 610208c9000000000010
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Issuer:
CN=Breimer Email Certficate Authority

NotBefore: 18-7-2006 11:57
NotAfter: 18-7-2016 12:07

Subject:
[email protected]
CN=A.J. Breimer
O=Breimer
L=Eindhoven
S=Noord Brabant
C=NL

Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
0000 30 81 89 02 81 81 00 b0 bb 27 01 ed 58 db e6 d6
0010 c7 1d 59 f6 a1 f3 c6 2c 60 80 01 0a eb 7d 5c c8
0020 28 00 a8 13 4e af 5f db 1c 6e 63 a8 10 8f 66 03
0030 b2 3c 00 6b 25 24 0b 6b 43 38 8a c7 83 a7 a9 af
0040 3e e9 8f b1 1f a9 b2 12 e6 33 e8 7e 51 42 d7 e5
0050 87 6b 3c ee 45 04 c0 69 b9 c9 55 d9 19 51 df 87
0060 81 65 5b 86 8c a9 61 99 02 80 64 55 06 29 29 fa
0070 05 6c b5 7d d4 19 ae fd 6f f9 2c 43 db 17 b0 d7
0080 1f 86 b6 7e dc 3d cd 02 03 01 00 01
Certificate Extensions: 5
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Non-Repudiation, Key Encipherment, Data
Encipherment (f0)

2.5.29.37: Flags = 1(Critical), Length = 22
Enhanced Key Usage
Client Authentication (1.3.6.1.5.5.7.3.2)
Secure Email (1.3.6.1.5.5.7.3.4)
Encrypting File System (1.3.6.1.4.1.311.10.3.4)

1.3.6.1.4.1.311.21.10: Flags = 1(Critical), Length = 28
Application Policies
[1]Application Certificate Policy:
Policy Identifier=Client Authentication
[2]Application Certificate Policy:
Policy Identifier=Secure Email
[3]Application Certificate Policy:
Policy Identifier=Encrypting File System

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
04 b1 c8 3d 0e e5 17 18 26 89 d3 69 2c 08 3c d8 91 d9 60 5e

2.5.29.35: Flags = 0, Length = 18
Authority Key Identifier
KeyID=82 7a e9 93 10 7e fb 81 53 32 cd ea 24 e8 cc df 23 54 c8 e4

Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 ac f3 c3 bd a1 ff 0a 67 92 6a 78 9e 0f 23 12 73
0010 40 90 e5 9b b9 45 e9 50 ac c7 20 54 dd 44 00 f0
0020 7a 1b e1 44 e5 3e cc 82 0f 42 6d 7b 24 ce 9f a0
0030 fe 51 fe 73 49 07 fd c1 82 8b 7c df 3b 0c 34 a9
0040 91 32 f7 f2 64 68 bc 5c eb 5f 54 b2 9c 8b 84 f2
0050 06 2e ec 6c 80 83 1e bf a6 ca aa 33 d2 16 55 89
0060 42 d8 d4 56 58 de d1 15 12 7b 7b 60 fd 01 ed e2
0070 d7 31 29 3f 46 30 36 3c fd 48 cf ca 01 a7 14 c8
0080 d0 f2 44 10 83 77 6f e5 2a 38 4c 83 81 02 c6 f4
0090 d2 82 e0 dd 7a df ee 23 b6 99 0c 91 0a 13 dc f3
00a0 7a e3 ad f2 ce 41 aa 36 94 2b 47 8c cf b7 83 3a
00b0 08 22 b1 35 f3 de eb f0 61 6c b3 f9 9c a5 20 1b
00c0 e9 4e 60 5a d0 31 e8 0e 35 1a 09 01 ff 5d 59 90
00d0 dc 92 9d fc eb b5 f2 5e 40 4b b5 a7 3f 68 a4 b1
00e0 eb ba ca 38 89 ff c3 ab 67 ce 0c 00 64 98 92 36
00f0 95 6a cf 26 c4 4b 47 ec 57 f3 b8 0d 99 71 e7 ae
Non-root Certificate
Key Id Hash(rfc-sha1): 04 b1 c8 3d 0e e5 17 18 26 89 d3 69 2c 08 3c d8 91 d9
60 5e
Key Id Hash(sha1): ff 11 a5 09 07 b1 8c 49 a9 44 28 1b 83 4d 43 96 02 ec 81
86
Cert Hash(md5): 10 b2 1b a7 72 88 f5 9c 20 43 4f 06 d0 51 59 64
Cert Hash(sha1): d9 8c 73 72 df 33 e5 38 26 2f 0c c8 b9 a0 5a 49 ff 2f 15 65

CERT_REQUEST_ORIGINATOR_PROP_ID(71):
breimer-vista

CERT_FRIENDLY_NAME_PROP_ID(11):
Breimer7

CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container =
27ca77229b71bc020fb2c2f6e94b75c0_28de8de6-ff92-4f3c-8bb8-f650458d1e5d
Simple container name: le-d0cb2b2c-814c-4233-a1d6-728532094ead
Provider = Microsoft Strong Cryptographic Provider
ProviderType = 1
Flags = 0
KeySpec = 2 -- AT_SIGNATURE

CERT_SHA1_HASH_PROP_ID(3):
d9 8c 73 72 df 33 e5 38 26 2f 0c c8 b9 a0 5a 49 ff 2f 15 65

CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID(24):
28 79 12 74 ef 0b 3d b2 1a 5e c1 78 26 02 42 07

CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID(25):
74 75 c0 ff ba 7b 2f e8 59 52 d0 40 ab 61 91 77

CERT_KEY_IDENTIFIER_PROP_ID(20):
04 b1 c8 3d 0e e5 17 18 26 89 d3 69 2c 08 3c d8 91 d9 60 5e

CERT_SIGNATURE_HASH_PROP_ID(15):
d1 10 59 3e 8a 9a 87 96 39 47 71 01 14 b1 fb a8 10 d7 b5 7e

CERT_MD5_HASH_PROP_ID(4):
10 b2 1b a7 72 88 f5 9c 20 43 4f 06 d0 51 59 64
Simple container name: le-d0cb2b2c-814c-4233-a1d6-728532094ead
Unique container name:
27ca77229b71bc020fb2c2f6e94b75c0_28de8de6-ff92-4f3c-8bb8-f650458d1e5d
Private key is NOT exportable
Signature test passed

================ Certificate 1 ================

The provider is listed under
HKLM\Software\Microsoft\Cryptography\Defaults\Provider\
 
G

Guest

Thank you for the certutil output, Bob. That is exactly what we needed.

The issue is that the KeySpec for your certificate is AT_SIGNATURE. That is
why it worked for signing but not for EFS. Encryption applications, such as
EFS, require the AT_EXCHANGE KeySpec. You can specify that by selecting the
"Exchange" key type in the custom request for certificate enrollment. EFS
also looks for "Encrypting File System" EKU and "Key Encipherment" KU--both
of which your certificate has. The wizard displayed the certificate because
the EKU and KU were correct; but the incorrect KeySpec prevented it from
being selected.

We appreciate your posting and welcome any feedback you have for improving
the wizard experience via http://connect.microsoft.com.

Thanks very much.
Pat
--
This posting is provided "AS IS" with no warranties, and confers no rights.


A.J. Breimer said:
Pat, The output from certutil -v -user -store my is (for the certificate at
hand):

my
================ Certificate 0 ================
X509 Certificate:
Version: 3
Serial Number: 610208c9000000000010
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Issuer:
CN=Breimer Email Certficate Authority

NotBefore: 18-7-2006 11:57
NotAfter: 18-7-2016 12:07

Subject:
[email protected]
CN=A.J. Breimer
O=Breimer
L=Eindhoven
S=Noord Brabant
C=NL

Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
0000 30 81 89 02 81 81 00 b0 bb 27 01 ed 58 db e6 d6
0010 c7 1d 59 f6 a1 f3 c6 2c 60 80 01 0a eb 7d 5c c8
0020 28 00 a8 13 4e af 5f db 1c 6e 63 a8 10 8f 66 03
0030 b2 3c 00 6b 25 24 0b 6b 43 38 8a c7 83 a7 a9 af
0040 3e e9 8f b1 1f a9 b2 12 e6 33 e8 7e 51 42 d7 e5
0050 87 6b 3c ee 45 04 c0 69 b9 c9 55 d9 19 51 df 87
0060 81 65 5b 86 8c a9 61 99 02 80 64 55 06 29 29 fa
0070 05 6c b5 7d d4 19 ae fd 6f f9 2c 43 db 17 b0 d7
0080 1f 86 b6 7e dc 3d cd 02 03 01 00 01
Certificate Extensions: 5
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Non-Repudiation, Key Encipherment, Data
Encipherment (f0)

2.5.29.37: Flags = 1(Critical), Length = 22
Enhanced Key Usage
Client Authentication (1.3.6.1.5.5.7.3.2)
Secure Email (1.3.6.1.5.5.7.3.4)
Encrypting File System (1.3.6.1.4.1.311.10.3.4)

1.3.6.1.4.1.311.21.10: Flags = 1(Critical), Length = 28
Application Policies
[1]Application Certificate Policy:
Policy Identifier=Client Authentication
[2]Application Certificate Policy:
Policy Identifier=Secure Email
[3]Application Certificate Policy:
Policy Identifier=Encrypting File System

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
04 b1 c8 3d 0e e5 17 18 26 89 d3 69 2c 08 3c d8 91 d9 60 5e

2.5.29.35: Flags = 0, Length = 18
Authority Key Identifier
KeyID=82 7a e9 93 10 7e fb 81 53 32 cd ea 24 e8 cc df 23 54 c8 e4

Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 ac f3 c3 bd a1 ff 0a 67 92 6a 78 9e 0f 23 12 73
0010 40 90 e5 9b b9 45 e9 50 ac c7 20 54 dd 44 00 f0
0020 7a 1b e1 44 e5 3e cc 82 0f 42 6d 7b 24 ce 9f a0
0030 fe 51 fe 73 49 07 fd c1 82 8b 7c df 3b 0c 34 a9
0040 91 32 f7 f2 64 68 bc 5c eb 5f 54 b2 9c 8b 84 f2
0050 06 2e ec 6c 80 83 1e bf a6 ca aa 33 d2 16 55 89
0060 42 d8 d4 56 58 de d1 15 12 7b 7b 60 fd 01 ed e2
0070 d7 31 29 3f 46 30 36 3c fd 48 cf ca 01 a7 14 c8
0080 d0 f2 44 10 83 77 6f e5 2a 38 4c 83 81 02 c6 f4
0090 d2 82 e0 dd 7a df ee 23 b6 99 0c 91 0a 13 dc f3
00a0 7a e3 ad f2 ce 41 aa 36 94 2b 47 8c cf b7 83 3a
00b0 08 22 b1 35 f3 de eb f0 61 6c b3 f9 9c a5 20 1b
00c0 e9 4e 60 5a d0 31 e8 0e 35 1a 09 01 ff 5d 59 90
00d0 dc 92 9d fc eb b5 f2 5e 40 4b b5 a7 3f 68 a4 b1
00e0 eb ba ca 38 89 ff c3 ab 67 ce 0c 00 64 98 92 36
00f0 95 6a cf 26 c4 4b 47 ec 57 f3 b8 0d 99 71 e7 ae
Non-root Certificate
Key Id Hash(rfc-sha1): 04 b1 c8 3d 0e e5 17 18 26 89 d3 69 2c 08 3c d8 91 d9
60 5e
Key Id Hash(sha1): ff 11 a5 09 07 b1 8c 49 a9 44 28 1b 83 4d 43 96 02 ec 81
86
Cert Hash(md5): 10 b2 1b a7 72 88 f5 9c 20 43 4f 06 d0 51 59 64
Cert Hash(sha1): d9 8c 73 72 df 33 e5 38 26 2f 0c c8 b9 a0 5a 49 ff 2f 15 65

CERT_REQUEST_ORIGINATOR_PROP_ID(71):
breimer-vista

CERT_FRIENDLY_NAME_PROP_ID(11):
Breimer7

CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container =
27ca77229b71bc020fb2c2f6e94b75c0_28de8de6-ff92-4f3c-8bb8-f650458d1e5d
Simple container name: le-d0cb2b2c-814c-4233-a1d6-728532094ead
Provider = Microsoft Strong Cryptographic Provider
ProviderType = 1
Flags = 0
KeySpec = 2 -- AT_SIGNATURE

CERT_SHA1_HASH_PROP_ID(3):
d9 8c 73 72 df 33 e5 38 26 2f 0c c8 b9 a0 5a 49 ff 2f 15 65

CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID(24):
28 79 12 74 ef 0b 3d b2 1a 5e c1 78 26 02 42 07

CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID(25):
74 75 c0 ff ba 7b 2f e8 59 52 d0 40 ab 61 91 77

CERT_KEY_IDENTIFIER_PROP_ID(20):
04 b1 c8 3d 0e e5 17 18 26 89 d3 69 2c 08 3c d8 91 d9 60 5e

CERT_SIGNATURE_HASH_PROP_ID(15):
d1 10 59 3e 8a 9a 87 96 39 47 71 01 14 b1 fb a8 10 d7 b5 7e

CERT_MD5_HASH_PROP_ID(4):
10 b2 1b a7 72 88 f5 9c 20 43 4f 06 d0 51 59 64
Simple container name: le-d0cb2b2c-814c-4233-a1d6-728532094ead
Unique container name:
27ca77229b71bc020fb2c2f6e94b75c0_28de8de6-ff92-4f3c-8bb8-f650458d1e5d
Private key is NOT exportable
Signature test passed

================ Certificate 1 ================

The provider is listed under
HKLM\Software\Microsoft\Cryptography\Defaults\Provider\

Pat Hoffer said:
Since certreq is also failing, we suspect this may be a CSP issue. Can
you
run "certutil -v -user -store my" at command prompt and in the output
locate
the Provider name for your certificate. (You may also be able to identify
the provider by opening the certificate in certmgr and looking in the
details.) Then run regedit and check if that provider name is listed
under
HKLM\Software\Microsoft\Cryptography\Defaults\Provider\.

Thanks.
Pat
 
A

A.J. Breimer

Pat,

Thank you. Setting the private key property AT_EXCHANGE makes it work.

The certificate remains usable for email signing and encryption. In
principle, for signing the private key property should be AT_SIGNATURE. So
one would expect that the for the private key property "Both"could be
specified.

Regards, Bob Breimer

Pat Hoffer said:
Thank you for the certutil output, Bob. That is exactly what we needed.

The issue is that the KeySpec for your certificate is AT_SIGNATURE. That
is
why it worked for signing but not for EFS. Encryption applications, such
as
EFS, require the AT_EXCHANGE KeySpec. You can specify that by selecting
the
"Exchange" key type in the custom request for certificate enrollment. EFS
also looks for "Encrypting File System" EKU and "Key Encipherment"
KU--both
of which your certificate has. The wizard displayed the certificate
because
the EKU and KU were correct; but the incorrect KeySpec prevented it from
being selected.

We appreciate your posting and welcome any feedback you have for improving
the wizard experience via http://connect.microsoft.com.

Thanks very much.
Pat
--
This posting is provided "AS IS" with no warranties, and confers no
rights.


A.J. Breimer said:
Pat, The output from certutil -v -user -store my is (for the certificate
at
hand):

my
================ Certificate 0 ================
X509 Certificate:
Version: 3
Serial Number: 610208c9000000000010
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Issuer:
CN=Breimer Email Certficate Authority

NotBefore: 18-7-2006 11:57
NotAfter: 18-7-2016 12:07

Subject:
[email protected]
CN=A.J. Breimer
O=Breimer
L=Eindhoven
S=Noord Brabant
C=NL

Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA (RSA_SIGN)
Algorithm Parameters:
05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
0000 30 81 89 02 81 81 00 b0 bb 27 01 ed 58 db e6 d6
0010 c7 1d 59 f6 a1 f3 c6 2c 60 80 01 0a eb 7d 5c c8
0020 28 00 a8 13 4e af 5f db 1c 6e 63 a8 10 8f 66 03
0030 b2 3c 00 6b 25 24 0b 6b 43 38 8a c7 83 a7 a9 af
0040 3e e9 8f b1 1f a9 b2 12 e6 33 e8 7e 51 42 d7 e5
0050 87 6b 3c ee 45 04 c0 69 b9 c9 55 d9 19 51 df 87
0060 81 65 5b 86 8c a9 61 99 02 80 64 55 06 29 29 fa
0070 05 6c b5 7d d4 19 ae fd 6f f9 2c 43 db 17 b0 d7
0080 1f 86 b6 7e dc 3d cd 02 03 01 00 01
Certificate Extensions: 5
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Non-Repudiation, Key Encipherment, Data
Encipherment (f0)

2.5.29.37: Flags = 1(Critical), Length = 22
Enhanced Key Usage
Client Authentication (1.3.6.1.5.5.7.3.2)
Secure Email (1.3.6.1.5.5.7.3.4)
Encrypting File System (1.3.6.1.4.1.311.10.3.4)

1.3.6.1.4.1.311.21.10: Flags = 1(Critical), Length = 28
Application Policies
[1]Application Certificate Policy:
Policy Identifier=Client Authentication
[2]Application Certificate Policy:
Policy Identifier=Secure Email
[3]Application Certificate Policy:
Policy Identifier=Encrypting File System

2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
04 b1 c8 3d 0e e5 17 18 26 89 d3 69 2c 08 3c d8 91 d9 60 5e

2.5.29.35: Flags = 0, Length = 18
Authority Key Identifier
KeyID=82 7a e9 93 10 7e fb 81 53 32 cd ea 24 e8 cc df 23 54 c8 e4

Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 ac f3 c3 bd a1 ff 0a 67 92 6a 78 9e 0f 23 12 73
0010 40 90 e5 9b b9 45 e9 50 ac c7 20 54 dd 44 00 f0
0020 7a 1b e1 44 e5 3e cc 82 0f 42 6d 7b 24 ce 9f a0
0030 fe 51 fe 73 49 07 fd c1 82 8b 7c df 3b 0c 34 a9
0040 91 32 f7 f2 64 68 bc 5c eb 5f 54 b2 9c 8b 84 f2
0050 06 2e ec 6c 80 83 1e bf a6 ca aa 33 d2 16 55 89
0060 42 d8 d4 56 58 de d1 15 12 7b 7b 60 fd 01 ed e2
0070 d7 31 29 3f 46 30 36 3c fd 48 cf ca 01 a7 14 c8
0080 d0 f2 44 10 83 77 6f e5 2a 38 4c 83 81 02 c6 f4
0090 d2 82 e0 dd 7a df ee 23 b6 99 0c 91 0a 13 dc f3
00a0 7a e3 ad f2 ce 41 aa 36 94 2b 47 8c cf b7 83 3a
00b0 08 22 b1 35 f3 de eb f0 61 6c b3 f9 9c a5 20 1b
00c0 e9 4e 60 5a d0 31 e8 0e 35 1a 09 01 ff 5d 59 90
00d0 dc 92 9d fc eb b5 f2 5e 40 4b b5 a7 3f 68 a4 b1
00e0 eb ba ca 38 89 ff c3 ab 67 ce 0c 00 64 98 92 36
00f0 95 6a cf 26 c4 4b 47 ec 57 f3 b8 0d 99 71 e7 ae
Non-root Certificate
Key Id Hash(rfc-sha1): 04 b1 c8 3d 0e e5 17 18 26 89 d3 69 2c 08 3c d8 91
d9
60 5e
Key Id Hash(sha1): ff 11 a5 09 07 b1 8c 49 a9 44 28 1b 83 4d 43 96 02 ec
81
86
Cert Hash(md5): 10 b2 1b a7 72 88 f5 9c 20 43 4f 06 d0 51 59 64
Cert Hash(sha1): d9 8c 73 72 df 33 e5 38 26 2f 0c c8 b9 a0 5a 49 ff 2f 15
65

CERT_REQUEST_ORIGINATOR_PROP_ID(71):
breimer-vista

CERT_FRIENDLY_NAME_PROP_ID(11):
Breimer7

CERT_KEY_PROV_INFO_PROP_ID(2):
Key Container =
27ca77229b71bc020fb2c2f6e94b75c0_28de8de6-ff92-4f3c-8bb8-f650458d1e5d
Simple container name: le-d0cb2b2c-814c-4233-a1d6-728532094ead
Provider = Microsoft Strong Cryptographic Provider
ProviderType = 1
Flags = 0
KeySpec = 2 -- AT_SIGNATURE

CERT_SHA1_HASH_PROP_ID(3):
d9 8c 73 72 df 33 e5 38 26 2f 0c c8 b9 a0 5a 49 ff 2f 15 65

CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID(24):
28 79 12 74 ef 0b 3d b2 1a 5e c1 78 26 02 42 07

CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID(25):
74 75 c0 ff ba 7b 2f e8 59 52 d0 40 ab 61 91 77

CERT_KEY_IDENTIFIER_PROP_ID(20):
04 b1 c8 3d 0e e5 17 18 26 89 d3 69 2c 08 3c d8 91 d9 60 5e

CERT_SIGNATURE_HASH_PROP_ID(15):
d1 10 59 3e 8a 9a 87 96 39 47 71 01 14 b1 fb a8 10 d7 b5 7e

CERT_MD5_HASH_PROP_ID(4):
10 b2 1b a7 72 88 f5 9c 20 43 4f 06 d0 51 59 64
Simple container name: le-d0cb2b2c-814c-4233-a1d6-728532094ead
Unique container name:
27ca77229b71bc020fb2c2f6e94b75c0_28de8de6-ff92-4f3c-8bb8-f650458d1e5d
Private key is NOT exportable
Signature test passed

================ Certificate 1 ================

The provider is listed under
HKLM\Software\Microsoft\Cryptography\Defaults\Provider\

Pat Hoffer said:
Since certreq is also failing, we suspect this may be a CSP issue. Can
you
run "certutil -v -user -store my" at command prompt and in the output
locate
the Provider name for your certificate. (You may also be able to
identify
the provider by opening the certificate in certmgr and looking in the
details.) Then run regedit and check if that provider name is listed
under
HKLM\Software\Microsoft\Cryptography\Defaults\Provider\.

Thanks.
Pat

:

Pat,

The command probably should be certreq -accept -user <CertFile>. This
gives
however an error: Cannot find object or property. 0x80092004
(-2146885628)

I can use the certificate for signing email (it has extensions for
email,
efs and client authentication)

Thanks, Bob Breimer

The error indicates that your certificate is not associated with its
private
key. It could be that it was not installed correctly. Try this:
open
a
command prompt to the directory where you have the certificate file
that
was
sent to you by the CA. Run this command: "certreq -accept
<CertFile>"
That
will install the certificate and associate it with the private key
that's
on
your system. Then run the EFS wizard again and select the
certificate.
Hopefully, there will be no error this time. Let us know.

Thanks.
Pat
--
This posting is provided "AS IS" with no warranties, and confers no
rights.


:

Robin,

I created the certificate via the (Vista) mmc certificate snap-in.
This
allows you to created an off-line request file which you send to a
Certificate Authority. After having this Authority signing the
request,
the
certificate is installed (in Vista).

Now you can select the certificate via Make changes to your user
account,
(this works) but after clicking OK, the message "The keyset is not
defined"
pops-up.

I have not figured out yet how to debug this situation.

Hi,

Don't shoot me for saying this, but is there a Certificates
Management
feature like in previous versions (in mmc, if that exists)? Have
you
tried
importing the certificate into there and seeing if it is
selectable
then?

:

Hi,

I have created a private certificate on my Vista installation
(build
5384),
the certificate is suitable for EFS use.

When trying to use this certificate in EFS (via Make changes to
your
user
account,
the certificate can be selected, but when clicking OK, the
system
reports
that the "The keyset is not defined" and the certificate is not
becoming
selected.

There is no entry in the event log for this failure.

Has someone a clue how this can be repaired?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top