Self-Signed Certificate Issue

I’m creating an IdP-initiated SSO application. The SP requires that we send them our certificate ahead of time and then include it in each assertion.

During testing I used the generic idp.cer that was included in your examples. This worked fine.

I am now trying to create our own self-signed certificate for production using OpenSSL. I used the statements in your Certificate Guide as an example and ran:

openssl req -x509 -newkey rsa:2048 -days 3650 -sha256 -subj “/CN=www.MyCompanyNameHere.com” -keyout key.pem -out cert.pem
openssl pkcs12 -inkey key.pem -in cert.pem -export -out idp.pfx
openssl pkcs12 -in idp.pfx -out idp.cer -nokeys

I sent this new certificate to the SP. I can load the certificate but not use it to sign the assertion. The error happens when I hit SAMLAssertionSignature.Generate(). The error text is below. Can you tell me what I’m doing wrong?

Exception Type: System.Security.Cryptography.CryptographicException
Exception Message: Invalid algorithm specified.
Exception Source: mscorlib
Exception Target Site: ThrowCryptographicException

---- Stack Trace ----
System.Security.Cryptography.CryptographicException.ThrowCryptographicException(hr As Int32)
VKExceptionManager.DLL: N 00041, IL 0006
System.Security.Cryptography.Utils.SignValue(hKey As SafeKeyHandle, keyNumber As Int32, calgKey As Int32, calgHash As Int32, hash As Byte[], cbHash As Int32, retSignature As ObjectHandleOnStack)
VKExceptionManager.DLL: N 00000
System.Security.Cryptography.Utils.SignValue(hKey As SafeKeyHandle, keyNumber As Int32, calgKey As Int32, calgHash As Int32, hash As Byte[])
VKExceptionManager.DLL: N 00097, IL 0024
System.Security.Cryptography.RSACryptoServiceProvider.SignHash(rgbHash As Byte[], calgHash As Int32)
VKExceptionManager.DLL: N 00199, IL 0063
System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
VKExceptionManager.DLL: N 00319, IL 0228
ComponentSpace.SAML2.Utility.XmlSignature.Generate(xmlElement As XmlElement, elementId As String, signingKey As AsymmetricAlgorithm, keyInfo As KeyInfo, signedXml As SignedXml, inclusiveNamespacesPrefixList As String, digestMethod As String, signatureMethod As String)
VKExceptionManager.DLL: N 00497, IL 0196

My Apologies. The documentation is slightly wrong. I’ll see that it’s updated.
The command to generate the PFX should be:
opensslpkcs12 -inkey key.pem -in cert.pem -export -out idp.pfx -CSP “MicrosoftEnhanced RSA and AES Cryptographic Provider”
Also, please take a look at the following forum post.
https://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
You need to ensure the “Microsoft Enhanced RSA and AES Cryptographic Provider” is used.
You can use openssl to update your PFX.
This won’t affect the certificate file you’ve supplied to the SP.

[quote]
ComponentSpace - 2/4/2019
My Apologies. The documentation is slightly wrong. I'll see that it's updated.
The command to generate the PFX should be:
opensslpkcs12 -inkey key.pem -in cert.pem -export -out idp.pfx -CSP "MicrosoftEnhanced RSA and AES Cryptographic Provider"
Also, please take a look at the following forum post.
https://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Service-Provider-Type
You need to ensure the "Microsoft Enhanced RSA and AES Cryptographic Provider" is used.
You can use openssl to update your PFX.
This won't affect the certificate file you've supplied to the SP.
[/quote]

That did the trick. Thanks!

You’re welcome.