Reputation: 231
Cannot find a unique certificate that matches the criteria
I am running into the following error when attempting to parse my token:
Property name: 'certificateReference'
Error: 'ID1025: Cannot find a unique certificate that matches the criteria.
StoreName: 'My'
StoreLocation: 'LocalMachine'
X509FindType: 'FindByThumbprint'
FindValue: '41a8a59e537d4a00a8c4fa8dc2522388dbd13d27'
The section in my web.config is:
<serviceCertificate>`
<certificateReference x509FindType="FindByThumbprint" findValue="41A8A59E537D4A00A8C4FA8DC2522388DBD13D27" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>
I have confimed the certificate exists in IIS, MMC and Internet Explorer and have tried changing the Find type to subject with no avail. I have also tried the thumbprint to be upper case, lower case, with spaces and without spaces. I have also confirmed the certificate exists LocalMachine\My with the following results:
Matching certificate:
CN=kelly-pc
Additional accounts and groups with acces to the private key include:
NT AUTHORITY\SYSTEM
BUILTIN\Administrators
KELLY-PC\Kelly
BUILTIN\IIS_IUSRS
Upvotes: 22
Views: 20914
Answers (6)
Reputation: 7276
On one particular server I had to add it to Trusted Root Certification Authorities store as well in addition to Personal for the code to recognize it.
On my local box and other servers it worked just fine in the Personal store only.
Upvotes: 0
Reputation: 7277
So this error was showing up on my screen this morning. I'm using a development machine, so I was using a self-signed (IIS) certificate. After installing Visual Studio 2015 RC, IIS was upgraded as well. Turns out that broke the chain trust, because the root certificate was either removed or invalid (IIS Express .
Probably an obvious thing to do, but make sure the selected certificate is still valid, including every hop in the chain.
Upvotes: 0
Reputation: 636
It was an invisible character in front of the thumbprint for me too. The standard Microsoft instruction to get the thumbprint is to open the certificate properties, copy the string of hex-encoded bytes, and remove spaces in between. I guess this copy procedure adds some invisible characters to the beginning of the string. These characters also need to be removed or the thumbprints do not match. I knew something must be wrong with the thumbprint when I found I was able to load the certificate by its name.
Upvotes: 3
Reputation: 5160
I had exactly the same problem. By copying my web.config section in Notepad++(not notepad) I saw an invisible character:
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="?e36df2f3e351a25adf8ffb6ad3619f10238f0317" />
</serviceCertificate>
Delete this character and it should work.
Without Notepad++ you can just press backspace in front of the thumbprint value(trying to delete the " char.
Upvotes: 24
Reputation: 749
First of all the "issuedTokenAuthentication" advice from Oleg did not work for me since my application is an asp.net MVC. I assume that this element is not supported in asp.net MVC application, but it might be supported in WCF service config.
After many hours of battling with this error on localhost and other errors such as ID1024 I had to undo some stuff I had done by following advice like giving Everyone read to all the files inside %ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys as per this blog (I granted read on the whole MachineKeys folder which was not a good Idea!). By doing this all granting to private keys stopped working via MMC console!
my solution was to create a new self signed certificate as per the instructions from here
Then I did a fresh import of the newly created certificate to the correct store and gave the user that runs the web applications read rights to the private key. My problem was with the certificate I was using before which was self signed, it must have been something wrong with it..
This section was definitely required on the client side:
<serviceCertificate>
<certificateReference x509FindType="FindByThumbprint" findValue="41A8A59E537D4A00A8C4FA8DC2522388DBD13D27" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>
When dealing with certificates this is also a very good advice to keep in mind:
IF YOU FIRST IMPORT THE CERTIFICATE INTO THE PERSONAL STORE FOR DEVELOPMENT, THEN IMPORT IT INTO THE MACHINE STORE FOR DEPLOYMENT, THE PRIVATE KEY WILL REMAIN IN THE PERSONAL STORE LOCATION SO NO SERVICE ACCOUNT CAN USE IT EVEN THOUGH THEY'VE BEEN GRANTED PERMISSION.
And finally the FindPrivateKey.exe tool came in very handy to locate the actual private key file and to help solve the problem, it can be downloaded from here, with good instructions here.
I noticed when deleting certificates via the MMC console I had to remove the private key file manually from
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
if deleting from localMachine store and from
C:\Users[Username]\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2106337540-114255811-1274951907-65121
if deleting from CurrentUser store
Upvotes: 8
Reputation: 221997
Probably you use self-issued certificate and you should add also the line
<issuedTokenAuthentication allowUntrustedRsaIssuers="true" />
inside <serviceCertificate> which should use together with <certificateReference>.
Upvotes: 0
Related Questions
- "The specified network password is not correct" exception in X509Certificate2 constructor
- Problems with X509Store Certificates.Find FindByThumbprint
- X509Certificate2 certification issue
- X509Certificate.CreateFromCertFile - the specified network password is not correct
- "CryptographicException: Cannot find the requested object" while the certificate file exists
- Validate certificate password using X509Certificate2
- WIF: "ID1014: The signature is not valid. The data may have been tampered with" Error when using non-store certificate
- InvalidBasicConstraints: A certificate's basic constraint extension has not been observed
- Unable to sign security tokens with certificate in WIF scenario
- WCF SSL certificate validation error