Private key import via ImportPrivateKey

Similar Messages

• SSL CertGen & Private key import errors - 7.0

  I am trying to install weblogic generated ssl certificate and because the private
  key needs to be encrypted with a password, i am loading this in a new JDK keystore
  and trying to configure WL.
  I am running utils.CertGen from weblogic 7.0 sp3 on XP.
  X:\SSLTest>java utils.CertGen testpassword testcert testkey
  Creating Domestic Key Strength - 1024
  ..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
  Encoding
  Created Private Key files - testkey.der and testkey.pem
  com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
  to encode X500Name.
  at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
  at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
  at utils.CertGen.createCertificateRequest(CertGen.java:312)
  at utils.CertGen.processCommand(CertGen.java:185)
  at utils.CertGen.main(CertGen.java:170)
  com.rsa.certj.cert.CertificateException: Cannot build Cert Request Info: Unable
  to encode X500Name.
  at com.rsa.certj.cert.PKCS10CertRequest.getCertRequestInfoDEREncoding(PKCS10CertRequest.java:824)
  at com.rsa.certj.cert.PKCS10CertRequest.signCertRequest(PKCS10CertRequest.java:1082)
  at utils.CertGen.createCertificateRequest(CertGen.java:312)
  at utils.CertGen.processCommand(CertGen.java:185)
  at utils.CertGen.main(CertGen.java:170)
  I went ahead and ran the same CertGen on unix and got the certificate file and
  the key file
  to my box to check to see if i can install it. I created a new keystore with keytool,
  loaded the private key with the alias and the password phrase, made this key store
  the default keystore, supplied the management password, changed the files to read
  the new cert file and key file.
  Attached is the log for the SSL debug.
  Do i need to import the private key stored in the JDK for weblogic ? I tried doing
  that by running.
  X:\>java utils.ImportPrivateKey X:\bea\user_projects\mydomain\mystore.jks mypass
  myalias pvtPasswd X:\bea\user_projects\mydomain\localcert.pem X:\bea\user_projects\mydomain\localkey.pem
  ImportPrivateKey will use existing X:\bea\user_projects\mydomain\mystore.jks
  ImportPrivateKey failed, java.security.KeyManagementException: ASN.1: Unxpected
  ASN.1 tag
  java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag
  at com.certicom.security.cert.internal.x509.SSLPlusSupport.getLocalIdentityPartial(Unknown
  Source)
  at com.certicom.net.ssl.CerticomContextWrapper.inputPrivateKey(Unknown
  Source)
  at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:76)
  at utils.ImportPrivateKey.importKey(ImportPrivateKey.java:44)
  at utils.ImportPrivateKey.main(ImportPrivateKey.java:32)
  X:\>
  Attached log is SSL debug enabled and it cant see the private key.
  Any help is appreciated.
  thanks,
  mallik
  [ssldebuglog.txt]

  "Mallik" <[email protected]> wrote in message
  news:3f3274e9$[email protected]..
  >
  I am trying to install weblogic generated ssl certificate and because theprivate
  key needs to be encrypted with a password, i am loading this in a new JDKkeystore
  and trying to configure WL.
  I am running utils.CertGen from weblogic 7.0 sp3 on XP.
  X:\SSLTest>java utils.CertGen testpassword testcert testkey
  Creating Domestic Key Strength - 1024
  ..... Certificate CommonName will contain Hostname KUNDULA_M-DGS
  Encoding
  Try this on 8.1 and see if it works. There was a bug fix with respect to "_"
  in hostnames.

• NAC and SSL - fails to import password protected private key

  I am attempting to import an SSL certificate on my CCA Manager and Server. I purchased a wild card SSL cert *.domain.com. The private key used to generate the certificate was created on an Cisco ACS 3.2 server and has a password. When attempting to import the private key into the CCA Manager the browser times out and no error is reported.
  My guess is that it is waiting for the password to allow access to the private key. Unfortunately there is no place on the form and no pop-up to enter the password.
  Is there a command line option for importing a private key that may work for me?
  Thanks
  Sherm

  The best Possible way is to generate a CSR from the CCA server and then purchase a certificate using that CSR. Then you dont have problems with private keys.
  Regards
  sathappan

• Import an SSL Private Key

  Hello.  Is it possible to export the Private Key from, say, my J2EE engine (I'm running a dual stack) and import it into my ABAP instance so that both systems use the same Private Key?  They both have the same host name.

  I guess its possible. Please correct me if i am wrong.
  Please keep in mind, that simply importing a certificate as a certificate response won't work in this situation, since the public key from your CA and the public key in the individual PSEs already existing on the respective servers won't match.
  following steps all the key pairs and certificates that are currently stored in the SSL Server PSEs on the target systems will be removed. If you want to keep them, you'll need to export them to a safe place.
  Step 1: import the key pair into a PSE
  Since pl.16 of SAPCRYPTOLIB, key pairs given in the format PKCS#12 can be imported into a PSE (note 745063). Since pl.24 of SAPCRYPTOLIB, also the import of key pairs given as PKCS#5, PKCS#8 or OpenSSL-PEM is supported (note 1159829).
  Step 2: import the PSE resulting from Step 1) into the system's database All PSEs that are known to transaction STRUST will be exported from the database and distributed to the application servers at system startup. The related PSE files will be overwritten. So, the PSE resulting from the key pair import in step 1) needs to be imported into the database.
  You'll need to go through a procedure similar to the one described in note 1178155, step 3.
  - Copy the PSE from step 1) to your workstation/PC
  - Start transaction STRUST
  - Doubleclick the "FILE" icon in the navigation area (left hand side)
  - Select the PSE on your workstation/PC
  - Execute the menu item "PSE --> save as..." and choose the SSL Server
  PSE as target. This will save the PSE from step 1 as SSL Server
  standard PSE.
  - The following step is a modification from note 1178155 which is
  only applicable in your special situation: right mouse button click
  on the SSL Server PSE entry in the navigation area. From the context
  menu appearing, select "Change".
  - Remove the distinguished names from all application server specific
  PSEs in the list. Pressing the green tick mark ('save') will remove
  all application server specific SSL Server PSEs, so the system is
  forced to use the SS Server standard PSE instead.
  Don't forget to restart the ICM in order to make your changes become effective.
  Regards,
  Jazz

• Importing a PKCS12 private key into java Keystore

  Hi,
  We have an existing private key, stored in a ".p12" file.
  Currently, our existing program will access this file directly to retrieve the private key, however, we need to import this private key into a keystore so it can be retrieved by our new code.
  Does anyone know whether it is possible to do this, and if so, is there any criteria that need to be met.
  If it is possible, then how do we do it?
  Assistance is appreciated!
  Regards
  Steve Williams

  Sorry to cross-post, but I have a similar problem.
  I have an existing certificate (public/private keypair) that I'm using in Microsoft IIS. Using Cert Manager in Windows2000 I export the certificate preserving the private key into a pfx file. I need to import the public/private keypair into the keystore. I also have the original certificate request and reply from Verisign if that helps any. I've looked everywhere and have been unable to find any information about doing this. Please Help!
  If there is a way to do this using keytool that would be great. If someone knows how to programmatically do this that would also be great.
  Thanks in advance,
  Trey Caldwell
  Software Engineer
  Intrannuity, LLC
  [email protected]

• Exporting SSL Private Key

  In the midst of an apocalyptic SSL install in 10.4 server. Currently, I am trying to install a wildcard cert via Server Admin, which may have been a mistake. After smashing my head for a week, I tried a new tack and rebuilt the system keychain and attempted to install the certificate; this failed at the level of Server Admin. However, in Keychain Access I am showing the SSL cert, public and private keys, and the CA's cert, all valid.
  Since I know of no other way to do get KA talking to SA so that I can actually use this certificate, I am trying to export the valid certs and keys to import. My problem is this, the certs and public key export fine, the private key fails returning an error of Unable to Export CLINTERNALERROR. I double checked that root is enabled in netinfo. Any ideas on how to rectify this?

  I believe you have to run Keychain Access as root to export the private key.
  sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

• SSL: how to use Multiple Private key/Certificate pair for authentication.

  Hi all,
  i am implementing SSL in java using X509 Certificate/private key combination.
  i have two set of private key/certificate pair.
  one is factory default and another is generated at run time.
  my problem is to try ssl connection with both pairs on same tcp/ip connection.
  e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
  on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
  can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
  Thanks In Advance
  Saurabh Ahuja

  Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
  It's like this. The idea of PKI with SSL is as follows:
  - the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
  - the client has a truststore that trusts the server, one way or the other, see above.
  - the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
  - the server sends its cert to the client along with a digital signature signed by its private key.
  - the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
  At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
  If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
  You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

• Recovering Private Key Password

  I have a customer who is trying to load a private key from a file but can not remember the Private Key password. Does anyone have an idea of what the best way to recover this would be if its possible?

  this is not possible since this is the most important part of the security protocol.
  You have to created a new key and get a new certificate.
  Regards,
  Gilles.

• Private key problem

  hey folks,
  i would like to store a certificate's private key in a mysql db.
  my problem is that i don't know how to convert it back to a PrivateKey when i extract it from the db.
  i use the function Base64.encode(userPrivKey.getEncoded()); (org.bouncycastle.util.encoders.Base64; to store the private key base64 encoded in the db.
  when i extract the key from the db i can decode it with Base64.decode(). the problem is that the decode function only returns a byte array.
  so does anybody know how i can convert that byte array back to a private key?
  or is there any other (better) solution to store and retrieve private keys from a mysql db?
  many thanks
  toto

  I've been looking to do the same thing, and your code is helpful.
  If you do not want to pull in the BouncyCastle library, you can extract the RSA private key from the PKCS8 key format by parsing the DER directly. Here is some code that does it. All you need to add is the Base64 encode, and RSA begin and end flags.
  import java.util.*;
  import java.io.*;
  public class Pkcs8ToRsa {
      // rsaEncrytion is { pkcs-1 1 }
      // pkcs-1 is { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) 1 }
      private static final byte[] OID_rsaEncryption = {
          (byte)0x2a, (byte)0x86, (byte)0x48, (byte)0x86,
          (byte)0xf7, (byte)0x0d, (byte)0x01, (byte)0x01,
          (byte)0x01 };
      private static final byte[] INTEGER_v1 = { (byte)0x00 };
      private static final int TAG_INTEGER      = 0x02;
      private static final int TAG_OCTET_STRING = 0x04;
      private static final int TAG_OID          = 0x06;
      private static final int TAG_SEQUENCE     = 0x30;
      private byte[] buffer;
      private int offset;
      protected Pkcs8ToRsa(byte[] pkcs8key) {
          this.buffer = pkcs8key;
          this.offset = 0;
      public static byte[] convert(byte[] pkcs8key) {
          return (new Pkcs8ToRsa(pkcs8key)).extractPrivateKey();
      private int extractTag() {
          // Assume single octet tag
          return ((int)buffer[offset++]) & 0xff;
      private void matchTag(int tag) {
          if (extractTag() != tag) {
              throw new IllegalArgumentException("Bad input");
      private int extractLength() {
          int lengthOfLength = ((int)buffer[offset++]) & 0xff;
          if ((lengthOfLength & 0x80) == 0) {
              // Single octet
              return lengthOfLength;
          } else {
              // Multiple-octet
              lengthOfLength = lengthOfLength & 0x7f;
              int length = 0;
              for (int i = 0; i < lengthOfLength; i++) {
                  length = (length << 8) | (((int)buffer[offset++]) & 0xff);
              return length;
      private void matchLength(int length) {
          if (extractLength() != length) {
              throw new IllegalArgumentException("Bad input");
      private byte[] extractValue(int length) {
          byte[] value = new byte[length];
          System.arraycopy(buffer, offset, value, 0, length);
          offset += length;
          return value;
      private void matchValue(byte[] value) {
          for (int i = 0; i < value.length; i++) {
              if (buffer[offset+i] != value) {
  throw new IllegalArgumentException("Bad input");
  offset += value.length;
  public byte[] extractPrivateKey() {
  // Encoding should be
  // SEQUENCE {
  // version INTEGER,
  // privateKeyAlgorithm SEQUENCE {
  // id OBJECT IDENTIFIER,
  // Type OPTIONAL
  // privateKey OCTET STRING
  // attributes [0] Attributes OPTIONAL
  // We are after the contents of privateKey
  // Outer sequence
  matchTag(TAG_SEQUENCE);
  int totalLength = extractLength();
  if ((offset + totalLength) > buffer.length) {
  throw new IllegalArgumentException("Bad input");
  // Check version == v1
  matchTag(TAG_INTEGER);
  matchLength(INTEGER_v1.length);
  matchValue(INTEGER_v1);
  // Check algorithm
  matchTag(TAG_SEQUENCE);
  int algorithmLength = extractLength();
  int keyOffset = offset + algorithmLength;
  matchTag(TAG_OID);
  matchLength(OID_rsaEncryption.length);
  matchValue(OID_rsaEncryption);
  // Skip to privateKey
  offset = keyOffset;
  // Get it.
  matchTag(TAG_OCTET_STRING);
  int keyLength = extractLength();
  if ((offset + keyLength) > buffer.length) {
  throw new IllegalArgumentException("Bad input");
  return extractValue(keyLength);

• Private Key Not Found Error in Ldaps

  Hi,
  I am facing "Private Key Not Found" Error in ldaps. The key and the SSL certificate is stored under the same location. The certificate is self signed certificate and in .pem format. When I am trying to install the certifcate through SUN ONE Console it throws the following error
  "Either this certificate is for another server, or this certificate was not requested using this server".
  can any one help me in this regard.
  Regards
  Senthil
  Edited by: senlog80 on Dec 30, 2008 3:18 AM

  Or even better, check the note <a href="https://websmp110.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=924320&_NLANG=E">924320</a>.
  <b>Symptom</b>:
  When you execute a query with virtual characteristics or key figures, the system issues the following error message:
  Object FIELD I_S_DATA-<key figure> not found
  <b>Other terms</b>
  RSR00002, RSR_OLAP_BADI
  <b>Reason and Prerequisites</b>
  This problem is caused by a program error.
  <b>Solution</b>
  If the virtual characteristics or key figures are implemented using the enhancement RSR00002 (CMOD), implement the corrections.
  If the virtual characteristics or key figures were created directly as implementations of the RSR_OLAP_BADI BAdI, compare the source code of the INITIALIZE method with the corresponding source code example. During the call of GET_FIELD_POSITIION_D, <L_S_SK>-VALUE_RETURNNM must be transferred instead of <L_S_SFK>-KYFNM.
  Import Support Package 08 for SAP NetWeaver 2004s BI (BI Patch 08 or SAPKW70008) into your BI system. The Support Package is available when Note 0872280"SAPBINews BI 7.0 Support Package 08", which describes this Support Package in more detail, is released for customers.
  In urgent cases, you can use the correction instructions.
  To provide advance information, the note mentioned above may be available before the Support Package is released. In this case, the short text of the note still contains the words "Preliminary version".
  Assign pts if helpful.

• SSL & generated private key

  I generated a CSR with the certificate servlet. I modified
  config.xml in order to set the right files :
  <SSL Enabled="true" ListenPort="7002" Name="test2" ServerCertificateChainFileName="config/mydomain/cacrt.pem"
  ServerCertificateFileName="config/mydomain/servercert.pem"
  ServerKeyFileName="config/mydomain/serverkey.der"/>
  The serverkey.der is a copy of the file generated by the
  certificate servlet.
  At startup the following error occurs :
  <30 juil. 01 20:23:26 CEST> <Alert> <WebLogicServer> <Security configuration problem
  with certificate file config/mydomain/serverkey.der, java.io.EOFException>
  java.io.EOFException
  at weblogic.security.Utils.inputByte(Utils.java:133)
  at weblogic.security.ASN1.ASN1Header.inputTag ASN1Header.java:125)
  at weblogic.security.ASN1.ASN1Header.input(ASN1Header.java:119)
  at weblogic.security.RSAPrivateKey.input(RSAPrivateKey.java:119)
  at weblogic.security.RSAPrivateKey.<init>(RSAPrivateKey.java:91)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:397)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:300)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1028)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:475)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:197)
  at weblogic.Server.main(Server.java:35)
  More over the conversion of the serverkey.der in serverkey.pem
  with openssl gives the following error :
  openssl rsa -in serverkey.der -outform PEM -out serverkey.pem
  read RSA key
  unable to load key
  1276:error:0906D06C:PEM routines:PEM_read_bio:no start line:./crypto/pem/pem_lib
  .c:662:Expecting: ANY PRIVATE KEY
  and reading the file by the default W2K reader gives an error too.
  Need help !

  Agree with S Guna, the ISP/Certificate Authority won't generate the private key, the request from your Lync server does.  So the private key is already sitting on your Lync 2010 Server.  Once you import the certificate generated by the certificate
  authority, the private key and certificate should be paired and can be assigned to Lync.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Having multiple CAs share the same private key

  We are developing a system which implements an HA cluster across two separate geographical locations.
  Each site will have several Windows Server 2012 machines and at least one DC, and we basically have to do a master-master replication between the two sites.
  The entire system will be under a single domain.
  We will be deploying AD CS since some of our sub-systems need certificates,
  but we want to limit the variety certificate to just one (i.e. we want all CAs to issue identical certificates).
  To do that, we have to setup AD CS so that all the DCs (both intra-site and inter-site) share the same private key.
  Is it possible to have all DCs in a domain to share a single private key?
  This article on TechNet suggests that we can do it within a cluster,
  https://technet.microsoft.com/en-us/library/cc742450%28v=ws.10%29.aspx
  but we are not sure if we can do it across different sites.
  Any advice and comments are highly appreciated.
  Wanko

  Hi Wanko,
  Its not much clear what you mean by "DCs to have single private key".
  However as per the article it indicates that you can use the same (SAN) certificate on both servers (nodes) of the cluster, the certificate SN will be the common clustername.
  This is common when you are using clustering or load-balanced system which requires you to have a common name, but individual nodes.
  Basically if you want to use single private key for the HA nodes, use the same certificate across all the nodes, that would be generated on the first node(generally). You don't need to issue identical certificates(this will not work as per my understanding)
  CA First Node: Export the Cert
  On the Welcome page of the CA Backup Wizard, click Next. Select
  Private key and CA certificate, and provide a directory name where you want to temporarily store the CA certificate and optionally the key. Click
  Next.
  Provide a password to protect the CA key, click Next, and then click
  Finish.
  CA Second Node: Import the Cert
  Open the Certificates snap-in for the computer account.
  In the console tree, double-click Certificates (Local Computer), and click
  Personal.
  On the Action menu, click All Tasks, and then click
  Import to open the Certificate Import Wizard. Click Next.
  Enter the file name of the CA certificate that was previously created on the first node, and click
  Next. If you click Browse to find the certificate, change the file type to
  Personal Information Exchange (*.pfx,*.p12).
  Type the password that you have previously used to protect the private key. The password is required even if there is no private key in the .pfx file. Do not mark this key as exportable. Click
  Next.
  Place the certificate in the Personal certificate store, and click
  Next. To complete the certificate import process, click
  Finish, and then click OK.
  Secondly I don't get what do you mean by: "we basically have to do a master-master replication between the two sites."
  Please note a Cluster can only run a single instance of Certificate Services. A failover cluster of any size can be used to provide a high availability environment for certificate services. However, Microsoft does not support more than one instance
  of certificate services on a cluster.
  References:
  Overview of CA Clustering-2003
  Active Directory Certificate Services (AD CS) Clustering - Requirements-2012
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Security.Cryptography - The specified path is invalid. while accessing the private key stored in LocalMachine store

  Hello,
  I have C# dll which is invoked through a C++ cgi executable which is deployed on apache 2.2. I am getting the following error when I am trying to access the private key of a certificate which is stored in the Localmachine store. It works fine while
  debugging in visual studio.
  It also works fine when I try to access the same certificate from the current user store through apache.
  I have tried running apache as "SYSTEM", even then I get the same error.
  I have followed the right process to import the certificate into the localmachine store through mmc. 
  Error Message:
  The specified path is invalid.
   caused by mscorlib
     at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
     at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
     at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
     at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
     at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
     at SamlImplLib.SamlImpl.GetSamlResponse(String sInParamXml, String sInAttrXml)
  The above error is not really helpful as it doesnt tell me which path is invalid as I am not passing any path in my code. I am just accessing the certificate through the X509Certificate2 store
  Thanks in advance

  Hi,
  This is probably because the worker process identity does not have read permission to the machine key store.
  And I agree with you. "The specified path is invalid" is a typical misleading message.
  You may need to clarify the difference between "SYSTEM- User" and "Current-user "through apache. Good Luck!
  Best regards,
  Kristin
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Cannot export private key: "key not valid for use in specified state"

  Hi,
  This is a bit of a long story but I hope someone can give us some guidance.
  We use authentication certificates issued from our own Enterprise CA to control user and machine authentication via RADIUS/NPS for our wireless network.  Certificates are deployed via group policy/autoenrollment. In general this works well but
  we have an intermittent problem where user authentication stops working for a user who was fine before. The user certificate looks OK via Certmgr (shows as valid, shows that there is a private key associated with the certificate).  The NPS server
  logs show that the machine has been authenticated and granted access, but the user in this situation doesn't show up in the server logs at all. 
  The only solution in this case is to connect to the wired network and request a new certificate for the user (either via certmgr or just by deleting the duff cert and logging off/on again to get the cert via autoenrollment).
  The interesting thing is that while a "working" certificate can be exported with no problem, a duff certificate cannot be exported with its private key, giving the error "key not valid for use in specified state". (Obviously the certificates
  come from the same template, and the key is not marked unexportable).  The key files are present in %userprofile%\Appdata\Roaming\Microsoft\Crypto\RSA and the user permissions on these files look correct.
  After much searching of the forums I tried running certutil-repairstore on the duff certificate and that also returned the same error.  I also tried an undocumented switch Certutil -user -key -v and again, got a very similar error "Loadkeys returned
  key not valid for use in specified state. 0x8009000b (-2146893813)".
  I'm assuming that the fact that the key is unexportable/corrupt is also the reason why the certificate can no longer be used for authentication.
  Does anyone have any clues as to what might be causing this, and/or if a certificate with a key in this state can be repaired?
  Thanks!

  I can just share an experience I once had that was somewhat similar:
  In this case certificates could sometimes not be enrolled and the CSP came up with a related error message.
  The root was the software / driver (?) for a hardware dongle required to run some software. This "driver" added a registry key to the list of CSPs (under these HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider - but I have seen this with
  XP, so the exact location might be different now).
  This fake CSP entry that had quite a weird name effectively broke other CSPs. After removing the access to / generation of keys worked fine.
  So it would be interesting to know if you run some software that is "close to CSPs or cryptography".
  Elke

• Public/private keys

  How to create a private/public keys?
  Fred

  Hi Fred,
  Following are the steps required are to create a Public/Private Keys:
  1. Load the security provider (if not configured in $JAVAHOME/jre/lib/security/java.security)
  2. Obtain a handle to a secure random number generator.
  3. Obtain a handle to KeyPairGenerator for a specific public key algorithm.
  4. Generate the public/private key pair
  5. Extract the public and private keys
  The following example shows how to generate public and private keys using the KeyPairGenerator and KeyPair interfaces using JCSI's security provider.
  import java.security.*;
  // Load JCSI's JCA security provider
  Security.addProvider(new com.dstc.security.provider.DSTC());
  // Seed random number generator using the default seeding
  // "SHA1PRNG" = SHA1 Pseudo-random number generator
  SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
  // Initialise KeyPairGenerator to create 1024-bit RSA keys.
  // PK Algorithm = "RSA", Security Provider = "DSTC" (Wedgetail)
  KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "DSTC");
  keyGen.initialize(1024, random);
  // Generate RSA pulic/private key pair
  KeyPair keyPair = keyGen.genKeyPair();
  // Extract public and private keys
  PrivateKey privKey = keyPair.getPrivate();
  PublicKey pubKey = keyPair.getPublic();
  Hope this will help you.
  Regards,
  Anil.
  Techncial Support Engineer.