SHA-256 and Converting the Cryptographic Service Provider Type

Checking the Cryptographic Service Provider
SHA-256, SHA-384 and SHA-512 XML signatures require the Microsoft Enhanced RSA and AES Cryptographic Provider.
SHA-256 and Cryptographic Service Provider Types

This can be checked using Microsoft's CertUtil.exe.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

certutil -dump idp.pfx
Enter PFX password:
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 74f0ebfe22358db8433138f9558c9af9
Issuer: CN=www.idp.com
NotBefore: 22/11/2013 6:20 PM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=www.idp.com
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): a6 a4 ae 4e 0b 37 8e c7 36 78 e5 81 26 90 af 50 e3 ec 37 69
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -dump command completed successfully.


The above private key specifies the correct provider and so may be used to generate SHA-256, SHA-384 and SHA-512 XML signatures.
If the private key isn't associated with the correct Cryptographic Service Provider (CSP), it can be converted to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.
NB. The conversion does not modify the public or private key values or any other information apart from the CSP to use.
NB. It's safe to perform this conversion on self-signed as well as certificate authority issued certificate files.
Two option are listed for performing the conversion: CertUtil and OpenSSL. We recommend using CertUtil.

CertUtil
Dump the PFX file noting the certificate's serial number.


certutil.exe -p password -dump test.pfx

================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 3ddc6dbd5f1321bd4655ac8841875bfb
Issuer: CN=test
NotBefore: 4/06/2020 10:45 AM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=test
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fecf3e3a28ca80248ca76c1870cb36130d9b9def
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Software Key Storage Provider
Private key is NOT plain text exportable
Encryption test passed
CertUtil: -dump command completed successfully.



Import the PFX file into the Windows certificate store, specifying the cryptographic service provider.


certutil.exe -p password -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -importPFX test.pfx

Certificate "test" added to store.
CertUtil: -importPFX command completed successfully.



Export the certificate and private key from the Windows certificate store to a PFX file. The certificate is identified by its serial number.


certutil.exe -p password -exportPFX 3ddc6dbd5f1321bd4655ac8841875bfb new.pfx NoChain,ExtendedProperties

MY "Personal"
================ Certificate 2 ================
Serial Number: 3ddc6dbd5f1321bd4655ac8841875bfb
Issuer: CN=test
NotBefore: 4/06/2020 10:45 AM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=test
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fecf3e3a28ca80248ca76c1870cb36130d9b9def
Key Container = test-21a25909-b8af-4883-a423-33f17871b48d
Unique container name: b067db77931cffe3810d1d2d8bb2062d_9ee80830-26bf-4602-b6a8-a0b873b2c8bb
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -exportPFX command completed successfully.



Dump the PFX file again to confirm the correct cryptographic service provider is now specified.


certutil -p password -dump new.pfx

================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 3ddc6dbd5f1321bd4655ac8841875bfb
Issuer: CN=test
NotBefore: 4/06/2020 10:45 AM
NotAfter: 1/01/2050 12:00 AM
Subject: CN=test
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fecf3e3a28ca80248ca76c1870cb36130d9b9def
---------------- End Nesting Level 1 ----------------
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -dump command completed successfully.



Delete the certificate from the Windows certificate store as it's no longer required.


certutil.exe -delStore My 3ddc6dbd5f1321bd4655ac8841875bfb

My "Personal"
Deleting Certificate 2: CN=test:fecf3e3a28ca80248ca76c1870cb36130d9b9def
CertUtil: -delstore command completed successfully.



OpenSSL
Specifying the correct CSP may also be done using OpenSSL.
Windows binaries are available for download. Refer to the OpenSSL Wiki.
The latest 64-bit Windows non-light installer at Shining Light Productions OpenSSL Installers is recommended.
The following command outputs information about the private key and certificate including the CSP.

openssl pkcs12 -in idp.pfx

Enter Import Password:
MAC verified OK
Bag Attributes
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft Strong Cryptographic Provider
friendlyName: PvkTmp:b143944f-c289-4e3c-b9cc-37ce1e8ada19
Key Attributes
X509v3 Key Usage: 10

Enter Ctrl+C a couple of times to get back to the command prompt.

The Microsoft Strong Cryptographic Provider is suitable for SHA-1 XML signatures but doesn't support SHA-256 XML signatures.
The PFX can be recreated specifying the required CSP.
Firstly, it must be converted from PKCS12 to PEM format.

set RANDFILE=.\openssl.rnd

openssl pkcs12 -in idp.pfx -out idp.pem

Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.

openssl pkcs12 -export -in idp.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

Loading 'screen' into random state - done
Enter pass phrase for idp.pem:
Enter Export Password:
Verifying - Enter Export Password:

The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512 XML signatures.

Hi,

It is asking for PEM pass phrase. What should be the value?

Thanks,
Muhammad Masood

Hi,

I followed the steps, but at last step where it generates from .pem to .pfx I am getting error like shown in below image:


I did exactly the same steps for my real .pfx file and getting the same error "unable to write random state".

Thanks,
Muhammad Masood

This is a file permission error.
You should find that the new PFX has been created and the error message may be ignored.
However, to avoid the warning you may either:
For the command prompt, select “Run as an administrator”.
or
Set RANDFILE to a file path for which you have file permission (eg set RANDFILE=.\openssl.rnd) and then run the commands.

Hello,

I have pem file privkey.pem. Content of file is:

-----BEGIN PRIVATE KEY-----
XXX
-----END PRIVATE KEY-----

I run cmd as Administrator.

When I run this cmd:

openssl pkcs12 -export -in privkey.pem -out new.pfx -CSP “Microsoft Enhanced RSA and AES Cryptographic Provider”

I get error:

unable to load certificates

If you run the following, does it dump out the certificate etc or display an error?

openssl x509 -in privkey.pem -text -noout

If an error is displayed then the file isn’t the correct format.
Does the file include the private key?
The format should be something like the following.

-----BEGIN ENCRYPTED PRIVATE KEY-----
…
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----

There may be bag attributes and key attributes also.

When I run openssl x509 -in privkey.pem -text -noout I get error:

unable to load certificate
7796:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:701:Expecting: TRUSTED CERTIFICATE


So I tried this. I have also *.pfx file so first I run this cmd:

openssl pkcs12 -in cert.pfx -out privkey.pem

Then ran openssl x509 -in privkey.pem -text -noout.

Output was:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d1:fe:48:49:d0:6d:c3:e5
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN=XXX
Validity
Not Before: Jun 22 07:51:41 2016 GMT
Not After : Jun 22 07:51:41 2018 GMT
Subject: CN=XXX
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:9f:53:0d:9e:ce:b4:9e:7b:35:39:7d:15:8c:
6d:52:21:27:54:c9:71:15:46:ad:b4:a4:48:37:83:
1f:8b:a2:32:f3:87:6f:bc:62:df:24:62:ad:dc:81:
26:69:30:24:72:ac:8c:13:03:6a:6a:10:64:97:d5:
7f:f2:3d:0f:4d:5f:89:d5:84:4e:fa:81:33:c0:13:
01:5e:6a:ac:dd:be:63:20:07:72:56:1f:4b:73:d6:
2b:de:74:30:ca:1e:f8:59:74:ad:af:36:6e:c2:2e:
25:5e:87:e2:2f:f2:84:87:25:28:de:6a:e4:5b:82:
24:27:7b:11:cf:6c:49:4d:d4:dd:31:f3:ef:22:cd:
c7:5d:d7:8d:64:de:5f:d0:cd:13:cb:0a:32:f6:1a:
f2:f5:87:bb:cb:6a:a6:51:ee:4d:a7:04:7d:f8:93:
97:1e:45:cb:3d:c9:9b:49:c7:eb:99:20:c7:1e:f9:
b7:ab:38:e0:18:af:9d:09:64:92:31:a6:dc:b5:ea:
8c:63:15:68:32:7e:3c:9b:a4:4b:31:24:64:28:a5:
e6:5f:2c:2e:41:d1:93:d7:e8:06:ee:9b:95:73:d4:
ac:3e:18:6e:86:90:d0:25:5a:c2:29:19:c6:fa:14:
0c:0e:04:0f:94:af:5c:52:8f:b6:c1:05:f6:1e:4e:
2e:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
E1:5A:D8:30:CC:C3:A6:65:6C:48:CC:DB:BF:A9:B9:44:77:3E:C5:DC
X509v3 Authority Key Identifier:
keyid:E1:5A:D8:30:CC:C3:A6:65:6C:48:CC:DB:BF:A9:B9:44:77:3E:C5:DC

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha512WithRSAEncryption
15:53:ee:f6:dd:33:00:d9:b8:2f:53:cf:15:54:89:ab:ba:5f:
56:4c:c0:44:26:6b:d8:5d:59:1e:8e:42:f5:ee:a2:9a:97:37:
b6:ae:66:bc:15:1b:66:95:95:ae:a0:bd:ef:40:47:aa:57:2c:
67:d2:a8:8b:e9:31:e2:e2:a8:21:ce:2b:82:19:ed:83:57:47:
f5:b2:3c:46:b8:3b:da:a0:95:60:3f:60:0b:ee:26:17:e1:43:
7c:dc:38:f4:aa:8e:63:78:61:b0:d4:88:98:c6:b9:2f:af:f3:
8c:a8:ab:06:b9:ac:32:f5:53:ef:4b:fa:02:76:6c:06:17:c6:
d1:77:d6:aa:99:cc:41:d4:8a:e9:d2:2d:96:6e:14:50:94:54:
5a:9f:0a:d5:aa:b8:83:1c:28:75:31:68:b2:89:e7:80:2b:66:
fc:1f:ed:2b:ff:1a:d6:be:5d:89:a0:81:f2:a3:de:a5:f4:4f:
e9:9d:9f:88:ed:c2:53:79:30:90:c0:f4:ca:60:b0:85:40:83:
02:c7:e7:31:f4:57:bc:13:c9:cf:07:7a:2b:dc:ab:c3:d5:26:
5f:9d:d6:1c:d9:48:a0:13:41:ab:64:a4:31:97:95:2c:68:fe:
e4:66:b9:3e:49:08:cc:dc:44:05:b5:93:90:f8:f6:10:d7:dd:
50:74:0b:6e

Finnaly I ran this cmd:

openssl pkcs12 -export -in privkey.pem -out new.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

Finished with error:

unable to load private key
5024:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:701:Expecting: ANY PRIVATE KEY

I am now confuse because we use this cert.pfx in our system and we don’t have aby problem.

Maybe I can send to you test certificates and you can try it becase I have no clue what is bad.

If it’s a test certificate, you’re welcome to zip up the PFX file and send it along with the PFX file password to our support email address.
I’ll try running the openssl commands and will let you know.

I sent email

Thanks. I get the same issue as you. I suspect there’s something different about the format of these files.
I’ll take a closer look at this as soon as I can.
However, you might be better to generate a new PFX file using makecert as described in our Developer Guide PDF.

Thank you for your effort.

Our vendor require certificates in this format this is main problem because it’s integration enterprise project.

We tried use some open source WebSSO frameworks but in all we missing some features hence our finally choice is use your product because we also need some support.

Please let me know if you find something new.

I’ve tried to reproduce the issue with certificates I’ve generated but with no luck.
There must be something different about your PFX file which then causes issues for openssl.
As this is a self-signed certificate, I suggest that you generate another certificate.
This is described in the Generating Test X.509 Certificates forum topic.
For example, the following command generates a self-signed certificate with a 2048 bit key, that’s signed using SHA-512 and that specifies the type 24 cryptographic service provider. This is saved into the Windows certificate store for the current user.


makecert -r -pe -sky exchange -n “cn=www.idp.com” -ss My -sy 24 -len 2048 -a sha512


You would then export the certificate from the Windows certificate store as a PFX file using the Microsoft Management Console’s Certificates snap-in. Simply run mmc from the command prompt.

Thank you I will try it and let you know

Thanks.

Problem is solved. Thank you.

You’re welcome.

When I run these commands, it creates the wrong name!
It creates “Provider = Microsoft Enhanced Cryptographic Provider v1.0” instead of ““Microsoft Enhanced RSA and AES Cryptographic Provider””

What could I be doing wrong? What do I need to do differently?

(Note in the example below I’ve replaced the real values with abc, xyz, etc)

c:\Program Files (x86)\GnuWin32\bin>openssl pkcs12 -export -in C:\x.pem -out C:\y.pfx -CSP “Microsoft Enhanced RSA and AES Cryptographic Provider”
Loading ‘screen’ into random state - done
Enter pass phrase for C:\x.pem:
Enter Export Password:
Verifying - Enter Export Password:

c:\Program Files (x86)\GnuWin32\bin>certutil -store my z
my
================ Certificate 0 ================
Serial Number: a
Issuer: CN=b
NotBefore: 11/10/2016 1:22 PM
NotAfter: 11/10/2018 1:22 PM
Subject: CN=c
Non-root Certificate
Template: d
Cert Hash(sha1): e
Key Container = f
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Private key is NOT exportable
Encryption test passed
CertUtil: -store command completed successfully.

I suspect you’re using a version of openssl that doesn’t support specifying the CSP.
We use the Shining Light Productions openssl. We’re currently using:
OpenSSL 1.1.0c 10 Nov 2016
The latest 64-bit Windows non-light installer at Shining Light Productions OpenSSL Installers is known to work.