Security.Cryptography - The specified path is invalid. while accessing the private key stored in LocalMachine store

Similar Messages

• Err: The private key material is not exportable outside of the HSM

  Hi,
  I am working on weblogic 8.1 with sp4, Using keytool generated certificates with HardwareSecurityModule (HSM) and enabled ssl in weblogic admin console.
  Now while starting the server following error is displayed
  <Oct 4, 2005 3:18:44 PM GMT+05:30> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
  <Oct 4, 2005 3:18:44 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000327> <Starting WebLogic Admin Server "ncss" for domain "ncqa">
  <Oct 4, 2005 3:18:49 PM GMT+05:30> <Notice> <Security> <BEA-090170> <Loading the private key stored under the alias srinualias from the nCipher.SWorld keystore file E:\bea\user_projects\domains\ncqa\srinu.>
  <Oct 4, 2005 3:18:51 PM GMT+05:30> <Notice> <Security> <BEA-090171> <Loading the identity certificate stored under the alias srinualias from the nCipher.SWorldkeystore file E:\bea\user_projects\domains\ncqa\srinu.>
  com.ncipher.provider.nCSecurityException: The private key material is not exportable outside of the HSM
  at com.ncipher.provider.km.KMDSAKey.getParams(KMDSAKey.java:59)
  at com.certicom.tls.interfaceimpl.CertificateSupport.CheckIfKeyMatch(Unknown Source)
  at com.bea.sslplus.CerticomSSLContext.doKeysMatch(Unknown Source)
  at weblogic.security.utils.SSLContextWrapper.doKeysMatch(SSLContextWrapper.java:93)
  at weblogic.t3.srvr.SSLListenThread.checkIdentity(SSLListenThread.java:323)
  at weblogic.t3.srvr.SSLListenThread.initSSLContext(SSLListenThread.java:169)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:140)
  at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:126)
  at weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:1637)
  at weblogic.t3.srvr.T3Srvr.resume(T3Srvr.java:1009)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:361)
  at weblogic.Server.main(Server.java:32)
  <Oct 4, 2005 3:18:52 PM GMT+05:30> <Warning> <Security> <BEA-090552> <The public and private key could not be checked for consistency.>
  <Oct 4, 2005 3:18:52 PM GMT+05:30> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the nCipher.SWorld keystore file E:\bea\user_projects\domains\ncqa\srinu.>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000331> <Started WebLogic Admin Server "ncss" for domain "ncqa" running in Development Mode>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "SSLListenThread.Default" listening on port 7002, ip address *.*>
  <Oct 4, 2005 3:18:53 PM GMT+05:30> <Notice> <WebLogicServer> <BEA-000355> <Thread "ListenThread.Default" listening on port 7001, ip address *.*>
  Please let me know if any clues.
  thanks
  Ceenu

  This is just a warning to let you know that the server was not able to verify whether the private key matches your public key, because it could not get the key from HSM. This is normal. SSL should still work.
  Pavel.

• Ugh: Error [0x800700a1] The specified path is invalid.

  I'm having the following problem. 
  Our backups are failing with the following error:
  In the backup logs, I find:
  Error in backup of D:\ during write: Error [0x800700a1] The specified path is invalid.
  Error in backup of D:\Perforce\ during write: Error [0x800700a1] The specified path is invalid.
  Error in backup of D:\Perforce\Database\ during write: Error [0x800700a1] The specified path is invalid.
  Error in backup of D:\Perforce\Database\p4s.exe during write: Error [0x800700a1] The specified path is invalid.
  In the event viewer, I find:
  The backup operation that started at '?2010?-?05?-?24T21:51:56.331072200Z' has failed with following error code '2155347997' (The operation ended before completion.). Please review the event details for a solution, and then rerun
  the backup operation once the issue is resolved.
  And on the command line, wbadmin returns:
  Found (41) files.
  The backup operation stopped before completing.
  Summary of the backup operation:
  The backup operation stopped before completing.
  Detailed error: Element not found.
  The backup of the system state failed [5/24/2010 5:23 PM].
  Log of files successfully backed up:
  C:\Windows\Logs\WindowsServerBackup\Backup-24-05-2010_14-51-56.log
  Log of files for which backup failed:
  C:\Windows\Logs\WindowsServerBackup\Backup_Error-24-05-2010_14-51-56.log
  The operation ended before completion.
  Element not found.
  ERROR(-3): Backup failed!
  This is very frustrating. 
  The more I use Windows built-in backup the more fragile it seems to be. 
  The D drive is a local drive and the path is valid. 
  Running check disk finds no problems.  The drive is mostly empty. 
  I tried with and without the anti-virus software, same problem. 
   There are no other server errors to indicate a problem with the drive or the path. 
  I ran vssadmin list writers, and none of them returned any errors. 
   Why would the backup return an invalid path error, for a path that is valid? 
  Any help would be greatly appreciated.
  Thanks much,
  James.

  Hi Sriram,
  Thanks for getting back to me!
  I'll try to mail them to you before the end of the week.
  A quick question:
   if the backup failed to find and copy a single file or directory (for whatever reason), why does it abort the whole process? 
  The file in question was not critical, so having it missing from the backup would only have been a minor inconvenience. 
  Obviously, you want to log such an event very clearly, but it does not make sense to me for it to kill the whole process... 
  Will this be improved in future versions?  I have to admit, I've not seen much backup software stop because of such a trivial error, except maybe "copy" from the command prompt.
  I think the built-in Window Server 2008 R2 backup software is very promising, and overall, I like it better than the old NT Backup crud. 
  However, from my limited use, it still seems rough around the edges; too many glitches and problems, something you don't want to see from your backup software.
  Thanks much,
  James. 

• Out-of-range security question: Export a certificate with the private key

  Hi Forumers'
  As above title mention, if we doing PKI, we sure will get invovle with Certificate.
  The moment i doing WLC and ACS express appliance, where the appliances is not coming with generate CSR feature...So we use openSSL for it.
  To clear my curiousity, Why we need to export the certifiate wit the private key? Itsn't the private key cannot publish to the public ??
  Thanks
  Noel

  Because both appliances are acting as a server, and you would need to have the private key on the server. However, you don't give the private key to all the clients for sure as you mentioned you only need to provide public key to the client, not the private key. Private key should only be kept on the server, and in this case both appliances are the server.

• 'Error while signing data-Private key or certificate of signer not availabl

  Hello All,
  In my message mapping I need to call a web service to which I need to send a field value consist of SIGNED DATA.
  I am using SAP SSF API to read the certificate stored in NWA and Signing the Data as explained in
  http://help.sap.com/saphelp_nw04/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm,
  when I have tested using Test tab of message mapping  it is working fine and I am able to access the certificate Keystore of NWA(we have created a keystore view and keystore entry to store the certificate) and generate the signed data ,but when I test end to end scenario from ECC system,it is getting failed in mapping with the error
  ' Error while signing data - Private key or certificate of signer not availableu2019.
  Appreciate your expert help to resolve this issue urgently please.
  Regards,
  Shivkumar

  Hi Shivkuar,
  Could you please let me know how you were trying to achieve the XML signature.
  We have a requirement where we have to sign the XML document and need to generate the target document as following structure.
  <Signature>
       <SignedInfo>
           <CanonicalizationMethod />
           <SignatureMethod />
           <Reference>
                   <Transforms>
                   <DigestMethod>
                   <DigestValue>
           </Reference>
      <Reference /> etc.
    </SignedInfo>
    <SignatureValue />
    <KeyInfo />
    <Object>ACTUAL PAYLOAD</Object>
  </Signature>
  I am analyzing the possibility of using the approach that is given in the help sap link that you have posted above. Any inputs will be apprecited.
  Thanks and Regards,
  Sami.

• Error while signing data-Private key or certificate of signer not available

  Hello All,
  I am new to PI.  I am currently stuck with an issue. The scenario is as explained below.
  We need to check for the service availability before processing the data. So, we test for the RFC connection first from the ECC system. During this process, we access the digital certificate stored in the PI system so that it can be validated and allowed to consume this intended service.
  Error :
  When we trigger the RFC test from the  ECC system, we get an error stating ' Error while signing data -  Private key or certificate of signer not available '. But when we test the same functionality within PI system(Locally), we does not encounter any such error. The certificate is maintained and it appears fine.
  The communication channels are stored with logon credentials.
  Can anyone please help me with this error or provide your valuable inputs. Thanks in advance.
  Regards,
  Shivkumar

  Hello,
  When we trigger the RFC test from the ECC system, we get an error stating ' Error while signing data - Private key or certificate of signer not available '.
  This should be normal behavior since the certificates are not installed in ECC SSL folders of Strust. Why not just install the certificates in the ECC system, perform an ICM restart and do a retest? After all, the certificates would both be the same in PI and ECC.
  Hope this helps,
  Mark

• Problems with the private key at email signing

  Error when running the app: org.bouncycastle.cms.CMSStreamException: Inappropriate key for signature.
  I'm trying to sign an email with a smart card using Java, mime type multipart / signed, when I do a debug the code without saving the
  message or without sending, there is no error or warning, or exception. But when I save or send the message out, I'm getting errors,
  inappropriate key .
  When I save the message:
  body.writeTo(new FileOutputStream("signed.message"));
  Whe I send the message:
  Transport.send(body);
  The error:
  Exception in thread "main" org.bouncycastle.cms.CMSStreamException: key inappropriate for signature.
  at org.bouncycastle.cms.CMSSignedDataStreamGenerator$CmsSignedDataOutputStream.close(Unknown Source)
  at org.bouncycastle.mail.smime.SMIMESignedGenerator$ContentSigner.write(Unknown Source)
  at org.bouncycastle.mail.smime.handlers.PKCS7ContentHandler.writeTo(Unknown Source)
  at javax.activation.ObjectDataContentHandler.writeTo(DataHandler.java:869)
  at javax.activation.DataHandler.writeTo(DataHandler.java:302)
  at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1383)
  at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:852)
  at org.bouncycastle.mail.smime.handlers.multipart_signed.outputBodyPart(Unknown Source)
  at org.bouncycastle.mail.smime.handlers.multipart_signed.outputBodyPart(Unknown Source)
  at org.bouncycastle.mail.smime.handlers.multipart_signed.writeTo(Unknown Source)
  at javax.activation.ObjectDataContentHandler.writeTo(DataHandler.java:869)
  at javax.activation.DataHandler.writeTo(DataHandler.java:302)
  at javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1383)
  at javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1743)
  at javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1719)
  at javaemail.SignedMultipartEmailTest.main(SignedMultipartEmailTest.java:537)
  Caused by: java.security.InvalidKeyException: Supplied key (sun.security.mscapi.RSAPrivateKey) is not a RSAPrivateKey instance
  at org.bouncycastle.jce.provider.JDKDigestSignature.engineInitSign(Unknown Source)
  at java.security.SignatureSpi.engineInitSign(SignatureSpi.java:86)
  at java.security.Signature$Delegate.engineInitSign(Signature.java:1104)
  at java.security.Signature.initSign(Signature.java:498)
  at org.bouncycastle.cms.CMSSignedDataStreamGenerator$SignerInf.toSignerInfo(Unknown Source)
  ... 16 more
  Java Result: 1
  BUILD SUCCESSFUL
  In the code:
  PrivateKey key = (PrivateKey)keyStore.getKey(aliasNm, null);
  gen.addSigner(key, signCert, SMIMESignedGenerator.DIGEST_SHA1, new AttributeTable(signedAttrs), null);
  where key is the private key of the alias from signature certificate at smart card of type RSAPrivateKey type, according to the debugger
  but according to the javadoc returns Type Key but is forced to type PrivateKey which extends to the other.
  This line is like a example which I'm using, is a bouncy castle example, but with generated certificates, I changed to use certificates
  from smarct card.
  signCert is the certificate associated with key , certificate of SIGNATURE from smartcard.
  At the debugger:
  In the method keyStore.getKey() I'm using null instead of char[] password because is using the windows certificate store which store the
  certificates at the smart card and is getting the PIN with PIN dialogue, and is loading the keystore perfectly and I'm getting the
  certificates from smart card.
  I tried to use:
  PrivateKey key = (PrivateKey)keyStore.getKey(aliasNm, PIN_FROM_SMARTCARD);
  And I'm getting the same value when I use null.
  The value at the debugger is:
  (java.security.PrivateKey) (sun.security.mscapi.RSAPrivateKey) RSAPrivateKey [size=2048 bits, type=Signature,
  container=hexadecimal_number](the same hexadecimal number in both cases)
  Obviously we can see in the error:
  Caused by: java.security.InvalidKeyException: Supplied key (sun.security.mscapi.RSAPrivateKey) is not a RSAPrivateKey instance
  And we can see too:
  RSAPrivateKey de 2048 bits
  at the debugger, in the key value.
  I can't understand why I'm getting the error only when the message is saved, or sended.
  If the key was inappropriate I would receive an error, or an exception when I'm not sending or saving the message.
  These are one, of the last lines of the code that I'm hidding with //
  When I save the message:
  //body.writeTo(new FileOutputStream("signed.message"));
  Whe I send the message:
  //Transport.send(body);
  If I uncomment one of these lines, I'm receiving the errors, previously written above
  Any suggestion?
  Than you
  Regards

  Try to reset the device by pressing hold of the home and power button for 15-20 seconds and letting of when the Apple logo appears.

• How to decrypt data when you can't get the private key in Windows?

  I'm very confuse. My english is poor, but I try to say my question clearly.
  When browser connects to a https website which needs client certificate to authenticate the identity, the browser will send client certificate to web server.
  Then the web server will use the certificate to encrypt some data and send it to browser.
  Then broswer should have private key to decrypt that.
  But as I know, if I install a pfx format personal certificate, I can set can't export private key, which means you can't get the private key to use it. So how can
  the browser decrypt the data without private key?
  By the way, what is CSP, use CSP's interface can we use CryptoAPI
  to decrypt data without private key?

  Answer for question is  "you cant".. 
  "How to decrypt data when you can't get the private key in Windows?"
  Read more 
  http://msdn.microsoft.com/en-us/library/windows/desktop/aa387460(v=vs.85).aspx
  http://msdn.microsoft.com/en-us/library/windows/desktop/bb427432(v=vs.85).aspx
  http://technet.microsoft.com/en-us/library/dd277320.aspx
  http://en.wikipedia.org/wiki/Public-key_cryptography

• Is there any way to find whether the private key is capable of 40 bits encr

  Is there any way to find whether the private key is capable of 40 bits encrypted or 128 bits encrypted.

  kanth_kanth wrote:
  Is there any way to find whether the private key is capable of 40 bits encrypted or 128 bits encrypted.Assuming an RSA private key, to get the number of bits extract the length of the 'modulus' in bytes and multiply by 8. How you extract the modulus depends on what format the private key has been stored in.

• Behaviour of checking Allow administrator interaction when the private key is accessed by the CA ?

  Setting up a new standalone root CA what is impact of selecting 'Allow administrator interaction when the private key is accessed by the CA' ?  not sure yet if we will be using a HSM module (which I know is a valid reason for selecting).  I don't
  want to limit our future options by not selecting this.  Is there any impact to selecting this if we end up not using CSP / HSM ?  and can the value be changed easily once the Root CA is installed ?

  This checkbox enables private key strong protection. This means that you will have to enter administrator password or confirm action each time private key is used. It will be used each time when new certificate/crl is issued. And when service starts. If
  you are using HSM, you should consult with HSM documentation to determine whether your HSM requires this setting. As you don't use HSM by now, then you should not enable this checkbox, because you won't see any prompt dialog on server core.
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Check out new:
  PowerShell FCIV tool.

• Can't Export a Certificate with the Private Key

  I have downloaded a
  Symantec Enterprise Mobile Code Signing Certificate from email link. And the certificate was installed with no errors. Now
  when I'm going to export the certificate it will NOT allow me to export with private key. The option "Yes, export with private key" was grayed out. From MMC, add snap in certificate > local computer > certificate > certificatename. In this
  location "I can see the certificate image with a key on it". Is this mean that the import is successful with private key? If so, how to export correctly? Kindly help please!
  http://i1234.photobucket.com/albums/ff405/i_kiennt/Screenshot2_zpsaf770a8b.png
  http://i1234.photobucket.com/albums/ff405/i_kiennt/Screenshot3_zpsde23204d.png

  Hello MrTrungKien,
  Please share us a screenshot about The option "Yes, export with private key" was grayed out.
  Please take a look at the following article about exporting a Certificate with the Private Key.
  http://technet.microsoft.com/en-us/library/cc754329.aspx
  Yes, export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
  It is marked as not exportable so users cannot export this certificate.
  Please contact Symantec to confirm if the key is exportable.
  Best regards,
  Fangzhou CHEN
  Fangzhou CHEN
  TechNet Community Support

• Is there any way to get rid of the private feature? Or to store history while using that feature?

  I would like to be able to get rid of the private feature. It is too hard to manage kids browsing and this makes it all the more difficult. I would like to be able to get rid of this feature all together or at least be able to store the history while this feature is open. There should be some way to see the history.

  Sorry, the Mozilla developers didn't include a switch to turn Private Browsing off. Any hack that I have seen posted would affect the main security file and possibly cause a security risk (advice provided by a Mozilla developer). There is a Bug filed to disable Firefox's Private Browsing mode when Windows Vista and Win 7 Parental Controls are enabled. I made a comment in that Bug in Oct 2009 and provided a list of threads (in Dec 2009) from this support forum that discussed the requests from parents for either a switch to turn the feature off or compatibility with Windows Parental Control, The final result of that effort was a comment about the (small - "two per week") number of threads where this topic was discussed. There haven't been any comments or any progress made since last April toward fixing that Bug. ''Please note that not every Bug is a fault with Firefox, a good number of Bugs are requests for enhancement of existing features or for adding new features.'' <br />
  https://bugzilla.mozilla.org/show_bug.cgi?id=471658 <br />
  https://bugzilla.mozilla.org/show_bug.cgi?id=471658#c36
  IMO, don't let the kids use Firefox due to this Bug. Or install a good external Parental Control program that records browsing history, as the one that comes with Windows doesn't do as much in Firefox as it does in IE, because of this Bug <br />
  https://support.mozilla.com/en-US/kb/Parental+controls.

• Specified cast is invalid while doing gre restore within sharepoint

  Hallo,
  When we try to do a GRE restore from our sharepoint environment, we receive the error Specified cast is not valid.
  We are using hp dp 9.0 build 100, sharepoint 2013 v 15.0.4569.1506.
  Cell mgr: windows 2008 r2 ent (6.1 build 7601 sp1)
  SP Sql srv : W2012R2 (6.3 build 9600) – SQL 2012
  SP applic : W2012R2 (6.3 build 9600)
  The problem occurs in a newly created environment, with any random component we try to restore.
  I don’t know where to look further. It seems an sql issue, but the gre is started from within the sharepoint environment.
  As backup software we use hp dataprotector. When I google it seams an sql related error, but no idea what to adjust or change or... If I execute the restore as the sp_farm user or my
  own user (I’m farm admin, local admin on the servers and backup admin in dataprotector) I receive the same error message.
  A sql backup and restore works fine. Can anyone point me to the right direction? or someone who had the same issue?
  Thanks a lot for your help.

  Anyone?

• Client Security - Delete the preowners key?

  Hi together!
  I've just bought a used X41t. Because of several damages on the casing I changed PC and changed then the HDDs back. Now the CSS want me to give in the Administrator-password. I entered mine, I am logged in as "Administrator" - access denied. It's annoying that i can't use the fingerprint-coupled password manager. Is there a possibility to reset the security-chip? Can a Lenovo service point do that?
  Thanks a lot for usable hints.

  welcome to the forum!
  per our community participation rules, we do not allow the discussion of passwords or password subversion methods.
  No solicitation for, nor exchange of information that will aid or enable unethical, illegal or immoral activities.
  For example, no posts concerning exchange of passwords, credit or banking information, warranty entitlement information for purpose of re-entitling out of warranty products. No posts shall include instructions or directions intended to subvert security measures, including passwords, locking mechanisms, fingerprint scans, etc, nor shall any posts provide descriptions to the location of, nor direct links to content related to these topics.
  thanks for understanding.
  thread locked.
  ThinkStation C20
  ThinkPad X1C · X220 · X60T · s30 · 600

• [Security:090809]The key pair could not be retrieved

  Hi All,
  I have created the key pair successfully and then exported them to file and then imported to DemoTrust.jks also by those commands:
  keytool -genkeypair -alias wlpkey -keypass password -keyalg rsa -keysize 1024 -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -dname "CN=Oracle Corp, OU=WLP, O=Oracle, L=Boulder, ST=CO, C=US"
  keytool -exportcert -alias wlpkey -keypass password -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -file wckey.der
  keytool -importcert -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase -file wckey.der -alias wlpkey -keypass password
  I can see that my alias is present in DemoTrust.jks by this command:
  keytool -list -keystore DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
  Now When I want to modify the SAML Security by creating a new Security Credential Mapping in weblogic admin console (Home >Security Realms >myrealm >Credential Mappings>PKI>New), I am getting following exceptions:
  +[Security:090809]The key pair could not be retrieved from the keystore with the supplied alias wlpkey and its password.+
  An error occurred while creating a security credential. Please check the log for more details.
  Can anyone point out anything to overcome this error?
  I am using WLP 10.3.4.
  I have tried this by creating the certificates from WLP_HOME/OFM_HOME and WLP_HOME/wlserver_10.3/server/lib also.
  What else can I try?
  Regards
  Jay
  Edited by: 902059 on Apr 6, 2012 2:14 AM

  The password that you have configured is incorrect and hence the error.
  [Security:090809]The key pair could not be retrieved from the keystore with the supplied alias wlpkey and its password.
  An error occurred while creating a security credential. Please check the log for more details.You need to give the password of the private key (that you have used while creating the key pair) in the PKI credential mapping configuration. The one highlighted below:
  keytool -genkeypair -alias wlpkey -keypass password -keyalg rsa -keysize 1024 -keystore DemoIdentity.jks -storepass DemoIdentityKeyStorePassPhrase -dname "CN=Oracle Corp, OU=WLP, O=Oracle, L=Boulder, ST=CO, C=US"Thanks,
  Patrick