Keyset does not exist

mitchellj · November 15, 2019, 2:39pm

I am trying to configure the app to use a AbstractSamlConfigurationResolver

When I am inserting my cert (base64 string) I use the following code

[quote] localServiceProviderConfiguration.LocalCertificates = new List()
{
new Certificate()
{
String = “MII…==”,
Password = “MyPass”
}
} [/quote]

However when the app runs I get the error

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
at Internal.Cryptography.Pal.StorePal.Export(X509ContentType contentType, SafePasswordHandle password)

Any suggestions?

ComponentSpace · November 15, 2019, 9:41pm

Please ensure that the certificate string also includes the private key.
A PFX file may be converted to a base-64 string using PowerShell.

$bytes = [System.IO.File]::ReadAllBytes(“idp.pfx”)
[System.Convert]::ToBase64String($bytes)

mitchellj · November 18, 2019, 7:09pm

Same error I’m afraid - I also verified that the string does indeed include the PK.

Just in-case I’m doing something stupid - to implement the bare minimum required in the ConfigurationResolver to be able to run InitiateSsoAsync

I have GetLocalServiceProviderConfigurationAsync and GetPartnerIdentityProviderConfigurationAsync

The GetLocalServiceProviderConfigurationAsync only contains a LocalCertificates with my public/private cert
The GetPartnerIdentityProviderConfigurationAsync contains the partner public cert (I’ve also tried putting my local cert in the LocalCerts

Also in the

Startup I only have

services.AddSaml();
services.AddScoped<ISamlConfigurationResolver, MySaml2ConfigResolver>();

ComponentSpace · November 18, 2019, 8:10pm

What you’ve described in correct.

As an experiment, do you get the same error if you convert and use the idp.pfx that we ship? You’ll find this in the ExampleIdentityProvider\Certificates folder. The password is “password”.

Please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com mentioning your forum post.
https://www.componentspace.com/Forums/7936/Enabling-SAML-Trace

mitchellj · November 20, 2019, 3:18pm

After working with component space the problem was that for some reason my machine needed to run dot net core in Admin mode in order to access the key-store. Running it in admin mode solved this issue for me.

ComponentSpace · November 20, 2019, 3:48pm

Thanks for the update. The other option to consider is setting the file permissions for the private key container.
The private key container is where Windows stores private keys that have been loaded. Usually this folder is C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
Please refer to the following forum post for more information.
https://www.componentspace.com/Forums/29/Troubleshooting-Loading-X509-Certificates