Reputation: 34149
Provided certificate is not valid for encryption/decryption
I am using IdentityServer3 for authentication. The IdentityServer3 is using Signing certificate ( the certificate that is used for signing tokens) created using makecert ar per this article.
makecert -r -pe -n "CN=SigningOnlyCert" -b 01/01/2015 -e 01/01/2020 -sky signature -a sha256 -len 2048 -ss my -sr LocalMachine
This signing only certificate is been working fine with identyserver3
Now I am trying to add SAML2 external provider using SustainSys library. I configured SPOptions to load the same signing only certificate. like
Saml2AuthenticationOptions.SPOptions.ServiceCertificates.Add(LoadCertificateFromWindwosStore())
However its throws error
Provided certificate is not valid for encryption/decryption. There may be insufficient permissions to its private key in the windows certificate store or the certificate itself may not have the correct purposes. If you only want to use it for signing, set the Use property to Signing (CertificateUse.Signing).
When i debug library code, the actual exception is Bad Key. as mentioned in #412
Now sure why this certificate is not working with SustainSys, when it works with IdentityServer3?
(Note that if i create new SSL certificate as per @brockallen article,
makecert -r -pe -n "CN=SSLCert" -b 01/01/2015 -e 01/01/2020 -sky exchange -a sha256 -len 2048 -ss my -sr localMachine
then SustainSys library works with SSL certificate. But not with signonly certificate )
Upvotes: 3
Views: 4949
Answers (2)
Reputation: 19397
That message indicates the certificate may not have the proper usage flags for encryption/decryption. But, if I am understanding you correctly, you don't actually want encryption. If so, you can specify that your intended use is Signing.
There is an overload of that ServiceCertificates.Add method which lets you specify the intended use, e.g.
Saml2AuthenticationOptions.SPOptions.ServiceCertificates.Add(
new ServiceCertificate
{
Certificate = LoadCertificateFromWindwosStore(),
Use = CertificateUse.Signing
}
);
The above would let you use it to sign outbound login/logout requests and would be published with use=signing in your metadata.
Note that this is different than the IDP's certificate which it uses to sign responses. That is configured along with the rest of the IDP information in the IdentityProviders list (ideally, using MetadataLocation to retrieve certificate automatically).
Upvotes: 1
Related Questions
- Keycloak "Unexpected error when handling authentication request to identity provider"
- IdentityServer: The remote certificate is invalid according to the validation procedure
- Certificate issues when adding an IDP to an authentication service
- Cannot create SustainSys CertificateElement from X509Certificate2 object to update SAML2 configuration in code
- PEM_read_bio_PUBKEY failed while sending signed SAMLRequest to Auth0
- The signature verified correctly with the key contained in the signature, but that key is not trusted
- Signing in to Sharepoint 2013 using Identity server 3 fails due to certificate validation issue
- IdentityServer3 Certificate error - The remote certificate is invalid according to the validation procedure
- Kentor Auth services SAML 2.0 -Service certificate
- Kentor.AuthServices specifying signing certificate in SPSSODescriptor