File Access Permissions Error after creating the self issued certificate

After creating a self issued certificate to use secure https connection over SSL, you may get “File Access Permissions Error”.

The error occurs because the user (usually NETWORK SERVICE) running the process has no “read & execute” access rights on the private key file (created when the certificate is created).

Assign “read & execute” access rights to the private key file for this user.

By default, the file is stored in the folder:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\

The last modified file is the private key file you have just created.

Now https should work correctly.

Creating certificates for Cardspace (Inforcard) and SSL

This post will guide you in the job of creating and installing a X.509 Certificate for working with CardSpace over https (SSL).

The main reason you would need to create a self issued certificate is to test your application. Earlier versions of Cardspace required a valid certificate to connect over https (using a SSL – Secure Socket Layer). Although CardSpace now supports http communications, it is a good idea to make a full functional test using https. The production server will need to use https for security reasons.

The Certificates generated by these commands have been used with IIS 7.0.

Before running these commands, change the value of -n “CN=your.domain.com” in the signed certificate to match your own.

To run the commands open a “Visual Studio Command Prompt” (“Start” à “Programs” à “Microsoft Visual Studio” à “Visual Studio Tools” à “Visual Studio Command Prompt”)

[If your OS is Windows Vista and UAC is activated, you will need to open the “Visual Studio Command Prompt” as “Administrator”]

For the root certificate:

makecert -pe -n “CN=Sample Root Authority” -ss root -sr LocalMachine -a sha1 -sky signature -r “SampleRootAuthority.cer”

For the signed certificate:

makecert -pe -n “CN=your.domain.com” -ss my -sr LocalMachine -a sha1 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -in “Sample Root Authority” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 “SampleSSLCert.cer”

To verify that the certificates have been installed correctly, (open the certificate store) and look for the certificates:

“Local Computer” à “Trusted Root Certification Authority” à “Sample Root Authority”

“Local Computer” à “Personal” à “your.domain. com”

Finally, try browsing a page on your site using https. If you get “File Access Permission Error”, check the File Permission Error after creating the self issued certificate post.

View the Certificate Store

To open the “Certificate Store” follow these steps:

1.       Run mmc.exe

[Select Continue if Windows asks for confirmation]

2.       From the menu, click on File àAdd/Remove Snap In…, the following window will pop-up. 

3.       Select “Certificates” in the left list

4.       Click on “Add >”, the following window will pop-up. 

5.       Select “Computer account”

6.       Click on “Next >”, you will see the following screen. 

7.       With “Local Computer” selected, click on “Finish”

8.       Now the “Local Computer Certificate Snap-In” will appear in the “selected snap-ins” list.  

9.       Click on “OK” to finish. You will see a window similar to the following.

This is the “Certificate Store” window.

Cardspace now supports connections over http

The release of the new .NET Framework 3.5 brings an update for CardSpace that allows connections over http as Vittorio wrote in his blog. Earlier versions of CardSpace would abort any connection not using SSL.

When CardSpace pops-up from an http (unsecure page), it will display a message informing the user that the connection is unsecure.

This screen opens for CardSpace without SSL…

Instead of the one for CardSpace with SSL…

This little difference has big implications.

Implications of using CardSpace on an unsecure connection (without SSL)

As Vittorio wrote in his blog, choosing to use CardSpace over http unsecure connections have 2 mayor consequences:

He wrote: “So, let me stress this one more time: we are still using asymmetric cryptography here. The UniqueID check is as solid as it with HTTPS, losing the transport encryption does not affect it.”

The identity for authentication can still be verified because the only one who has the private key for signing the PPID is the user requiring authentication.

Additionally, the second consequence brings the bigger menace. The man-in-the-middle attack can be used, taking advantage of the fact that no Certificate Authority is certifying the domain the user is connecting to.

MMC 3.0: new UI for Add/Remove Snap-in

New UI for Add/Remove Snap-in

The problem

Yesterday I downloaded MMC 3.0 (Microsoft Management Console) and installed it on a Windows Server 2003 SP1.

After reading David Aiken´s quick start labs I was eager to see the new UI for managing snap-ins in action. Disappointment aroused when, after clicking on the MMC menu File -> Add/Remove Snap-In…, the old screen (Figure 1) popped up!

Figure 1: Old Add/Remove Snap-In pop-up

Finding the Solution

The first thing I tried to do was reinstalling MMC 3.0 but still couldn’t get to see the new UI for managing snap-ins. By this time I figured out that a specific configuration was probably missing. The next step was to search Microsoft web for an answer:

“I’ve installed MMC 3.0 and was still seeing the old (Figure 1) pop-up.”

This is the solution I found to the problem (KB907265):

How to enable the new Add/Remove snap-in dialog box:

1. Click Start, click Run, type regedit, and then click OK.

2. In the left pane, locate and then click the following registry subkey:

3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC

4. On the Edit menu, point to New, and then click Key.

5. Type UseNewUI as the new name, and then press ENTER.

6. On the File menu, click Exit.

Finally working

When finished editing the registry I opened again the MMC. Not much seemed to have changed. The main screen looked just the same. Next I tried again to open the UI for managing Snap-Ins (File -> Add/Remove Snap-In…) and was delighted to see the new UI (Figure 2).