WSE 'Bad Key' Exception

This error has been driving me mad for weeks...Hope someone can help me out here...Thanks in adv...

I am sending a soap msg encrypted using WSE 2.0 sp2, while the 'bad key' exception just keep coming out. I thought it has something to do with the certificate permission for the ASPNET accout which is generated by the .net framework automatically after it starts. However, the error still exists after I added the Read permission for that ASPNET account to the certificate used for encryption.

help.....

Answer this question

WSE 'Bad Key' Exception

ChicagoMark
Hi Todd,

Thanks for you help. I used the command you gave me and it works fine.

I think the problem is that I created a certificate in my own custom certificate store, and import it to the "personal" store in a wrong way.

I used following command to create a certificate:
makecert -sk TestKey -r -n "CN=Test,OU=Cert,O=USYD,E=xxx@hotmail.com" -ss justin Test.cer

I dragged the certificate from the custom store "justin" into "personal" in the microsoft management console.

The problem is solved but I did another experiment. I tried again to create the certificate in "justin" then export it as a pfx file with the private key and imported the pfx file back to "personal". In this case, there are 2 certificates file, the .cer file and the .pfx file. Are these file containing the identical certificate attributes
Sean Vikoren
Sorry for the delay Justin,

A .PFX file contains the certificate and the private key, whereas the .CER file contains only the certificate.

If you want to more of the details on these two files then you should try posting the question on the Platform SDK Security newsgroup.

Thanks
-Todd Foust
somewww
Hi Guys,

I had the same issue with ecryption. I used the certificates used in WSE2.0 Microsoft samples and it worked. Looks like certificates generated with makecert are not able to decrypt.

Ragards
Jahanzeb Faizan
cheesesarnie
Todd,

I have a working test application and web service. I'm using the certificates and keys that were installed in the samples folder when WSE was installed. I don't have a very clear picture of what is in each of those files. I just imported them as it was stated in the book I'm using, "Expert Service-Oriented Architecture in C#".

Now I'm about ready to get real certificates and go from there, but I didn't want to spend money and get the wrong thing. I decided to make a set of test certificates and try them out. That way I would have a clearer picture of how it all works and what I need. I used makecert to create a .cer and a .pvk file, then used pvkimprt to convert the pvk file to a .pfx file that I could import using the mmc snap-in. I've done this several times with different parameters and configurations and have had no luck. I updated the key id that is used to retrieve the key from the store on both the client and server, so that doesn't seem to be the problem. Can you give me a better idea of what is inside the sample cert and pfx files

A couple of things are confusing me about this app and how it works. First, I don't understand why the book claims that the client will use the "Client Private.pfx" file to encrypt messages and the server will use the "Server Public.cer" file to decrypt them. This appears as though we are encrypting and decrypting with keys from different pairs, and I didn't think that was possible. I also thought the conversation should be started with a public key being used for encryption.

The second thing I don't understand is how I can use the x.509 config tool to set permissions on the private key that came from "Server Public.cer". I didn't think that file contained a private key. I'm confused...

Thanks in advance,

Martin
Gunjan Moghe
I had this problem and it looked like I had the following line wroing in the policy...

            <wssp:Claims>
              <wssp:SubjectName>DC=DEV DC=xx OU=xx OU=xx OU=xx CN=xx</wssp:SubjectName>
            </wssp:Claims>

Initially I had commas between the values in the subjectname element - I changed that and now I'm on to my next error :-)
adavidson
Hello Jahanzeb,

Did you create a certificate using the switches below

makecert -sk MyCustomCert -sky exchange -r -n "CN=My Custom Cert" -ss my MyCustomCert.cer

Adding the "-sky exchange" will create a cert that supports encryption and signing.

hth
-Todd
Lars Seger
Thanks very much, James.

I just granted ASPNET full control permmision for the crypto keys folder, but it still does not work...
Anandan
Hello Justin,

How did you create/get the certificate Does the certificate support both signing AND encrypting If you open up the certificate within WSE's X509 certificate tool then do you see both the "Supports encrypting" and "Supports signing" check boxes checked

See if you can get the application to work with a simple makecert certificate. Here is a sample command to create the certificate:

makecert -sk MyCustomCert -sky exchange -r -n "CN=My Custom Cert" -ss my MyCustomCert.cer

Reference: Certificate Creation Tool (Makecert.exe)

HTH
-Todd Foust
Kuku
Hi Justin and Todd,
Even I am getting the same error " Bad key". I have done what all you have done to eliminate this error but still I am getting that error.

I have tried all the possible methods but no use....
I have no problem with Signing the request with X509 cert.The problem comes when I try to encrypt that message.

Please help me...

Regards,
Neelu.
AJ Yu
Does ASPNET (IIS5) or Network Service (IIS6) have read/write permissions on the crypto keys

%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys

http://www.wsefaq.com/question.aspx id=3fd0cea6-7a89-424c-9c19-9c03af80e31d
WSE 'Bad Key' Exception

Answer this question