[HELP] Can not select SSL cert (pkey not found)

[Kwagnerapo]

Hello, I set up GMSA and created a service account, then I created a self signed cert (New-SelfSignedCertificate -DnsName test.123.local -CertStoreLocation "cert:\LocalMachine\My", installed the access manager and tried to select the certificate. After clicking "OK" in the dialog I always get this error:

An unhandled error occurred and the application will terminate.
The certificate private key was not found
Do you want to attempt to save the current configuration? ... then it crashes as promised

I will put the stacktrace at the end.

I also set read permissions in the windows internal certificate store to "Everybody" on the certificates pkey, I set a domain admin user as service account of access manager for test purposes, I created different GMSA service account and tried it on a different server...everytime the same error.

Help would be very much appreciated. Thank you!

Stacktrace:
2021-07-19 17:51:54.5076|FATAL|Lithnet.AccessManager.Server.UI.Bootstrapper|An unhandled exception occurred in the user interface Lithnet.AccessManager.CertificateNotFoundException: The certificate private key was not found at Lithnet.AccessManager.Server.X509CertificateExtensions.GetPrivateKeySecurity(X509Certificate2 cert) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Extensions\X509CertificateExtensions.cs:line 21 at Lithnet.AccessManager.Server.CertificatePermissionProvider.AddReadPermission(X509Certificate2 certificate, IdentityReference identity, Action& rollbackAction) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\CertificatePermissionProvider.cs:line 36 at Lithnet.AccessManager.Server.CertificatePermissionProvider.AddReadPermission(X509Certificate2 certificate, IdentityReference identity) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\CertificatePermissionProvider.cs:line 31 at Lithnet.AccessManager.Server.CertificatePermissionProvider.AddReadPermission(X509Certificate2 certificate) in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server\Providers\CertificatePermissionProvider.cs:line 25 at Lithnet.AccessManager.Server.UI.HostingViewModel.ShowSelectCertificateDialog() in D:\dev\git\lithnet\access-manager\src\Lithnet.AccessManager\Lithnet.AccessManager.Server.UI\ViewModels\HostingViewModel.cs:line 618 --- End of stack trace from previous location where exception was thrown --- at Stylet.Xaml.ActionBase.InvokeTargetMethod(Object[] parameters) in /_/Stylet/Xaml/ActionBase.cs:line 201 at Stylet.Xaml.CommandAction.Execute(Object parameter) in /_/Stylet/Xaml/CommandAction.cs:line 164 at MS.Internal.Commands.CommandHelpers.CriticalExecuteCommandSource(ICommandSource commandSource, Boolean userInitiated) at System.Windows.Controls.Primitives.ButtonBase.OnClick() at System.Windows.Controls.Button.OnClick() at System.Windows.Controls.Primitives.ButtonBase.OnMouseLeftButtonUp(MouseButtonEventArgs e) at System.Windows.UIElement.OnMouseLeftButtonUpThunk(Object sender, MouseButtonEventArgs e) at System.Windows.Input.MouseButtonEventArgs.InvokeEventHandler(Delegate genericHandler, Object genericTarget) at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target) at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised) at System.Windows.UIElement.ReRaiseEventAs(DependencyObject sender, RoutedEventArgs args, RoutedEvent newEvent) at System.Windows.UIElement.OnMouseUpThunk(Object sender, MouseButtonEventArgs e) at System.Windows.Input.MouseButtonEventArgs.InvokeEventHandler(Delegate genericHandler, Object genericTarget) at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target) at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised) at System.Windows.UIElement.RaiseEventImpl(DependencyObject sender, RoutedEventArgs args) at System.Windows.UIElement.RaiseTrustedEvent(RoutedEventArgs args) at System.Windows.Input.InputManager.ProcessStagingArea() at System.Windows.Input.InputProviderSite.ReportInput(InputReport inputReport) at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr hwnd, InputMode mode, Int32 timestamp, RawMouseActions actions, Int32 x, Int32 y, Int32 wheel) at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr hwnd, WindowMessage msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled) at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o) at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs) at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)

[ryannewington]

Hi @Kwagnerapo

Could you provide the details of the certificate in question. If you run the following command

Get-ChildItem -path cert:\LocalMachine\My | select *

Can you cut and paste the details of the certificate in question.

Then using the thumbprint value of the certificate in question, run the following command, replacing my thumbprint with your own

(get-item 'Microsoft.PowerShell.Security\Certificate::LocalMachine\My\053846DB68AA775CB6CA325CE6765AA75B570C67').PublicKey.Oid

[Kwagnerapo]

Hello Ryan, thank you very much for your quick reply! Here the details as requested:

PSPath                   : Microsoft.PowerShell.Security\Certificate::LocalMachine\My\A882EACBF979FE5D527C054739DB6470EDBBCECF

PSParentPath             : Microsoft.PowerShell.Security\Certificate::LocalMachine\My

PSChildName              : A882EACBF979FE5D527C054739DB6470EDBBCECF

PSDrive                  : Cert

PSProvider               : Microsoft.PowerShell.Security\Certificate

PSIsContainer            : False

EnhancedKeyUsageList     : {Clientauthentifizierung (1.3.6.1.5.5.7.3.2), Serverauthentifizierung (1.3.6.1.5.5.7.3.1)}

DnsNameList              : {server.domain.ext}

SendAsTrustedIssuer      : False

EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty

EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty

PolicyId                 :

Archived                 : False

Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}

FriendlyName             :

IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName

NotAfter                 : 19.07.2022 13:07:28

NotBefore                : 19.07.2021 12:47:28

HasPrivateKey            : True

PrivateKey               :

PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey

RawData                  : {48, 130, 3, 81...}

SerialNumber             : 7025233BD7C710A14DFCD996BD5CDD2B

SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName

SignatureAlgorithm       : System.Security.Cryptography.Oid

Thumbprint               : A882EACBF979FE5D527C054739DB6470EDBBCECF

Version                  : 3

Handle                   : 2687962147952

Issuer                   : CN=server.domain.ext

Subject                  : CN=server.domain.ext

Oid query:

Value 1.2.840.113549.1.1.1 FriendlyName RSA

Best regards

[ryannewington]

sorry one more to run

certutil -v -store my "A882EACBF979FE5D527C054739DB6470EDBBCECF"

[Kwagnerapo]

Here you go (FQDN replaced as before):

X.509-Zertifikat:
Version: 3
Seriennummer: 7025233bd7c710a14dfcd996bd5cdd2b
Signaturalgorithmus:
    Algorithmus Objekt-ID: 1.2.840.113549.1.1.11 sha256RSA
    Algorithmusparameter:
    05 00
Aussteller:
    CN=server.domain.ext
  Namenshash (sha1): 40cbfb9e7e73c44bee6d916188df62d46d8577f6
  Namenshash (md5): 0a29b2af4897f9dfa21c321bf325ee73

 Nicht vor: 19.07.2021 12:47
 Nicht nach: 19.07.2022 13:07

Antragsteller:
    CN=server.domain.ext
  Namenshash (sha1): 40cbfb9e7e73c44bee6d916188df62d46d8577f6
  Namenshash (md5): 0a29b2af4897f9dfa21c321bf325ee73

Öffentlicher Schlüssel-Algorithmus:
    Algorithmus Objekt-ID: 1.2.840.113549.1.1.1 RSA
    Algorithmusparameter:
    05 00
Länge des öffentlichen Schlüssels: 2048 Bits
Öffentlicher Schlüssel: Nicht verwendete Bits = 0
    0000  30 82 01 0a 02 82 01 01  00 99 4d 17 77 1d 23 b9
    0010  de 08 3e 7c 4a 25 50 46  30 02 8d 4e bb 39 a6 e9
    0020  21 5f 3b 35 1f 07 95 b5  06 68 6a f9 bc 58 43 03
    0030  81 b5 19 b2 95 31 fc 43  6e 55 07 11 b7 4d 17 a6
    0040  9b 2e e5 a3 e5 63 15 5b  9f 92 1c b6 a0 f2 3b 93
    0050  e5 bb f6 b9 e5 43 52 9c  15 85 7a 93 98 d8 c4 9b
    0060  ba 3b e3 b4 c0 24 8b ce  3f 26 0c d7 5f 7d 6f 34
    0070  35 a9 e2 ac 38 f8 89 20  f1 8c 02 b8 be ba ed aa
    0080  11 d5 55 e5 b2 41 24 be  8f e4 40 f7 92 95 98 50
    0090  da df 2b 3a 35 c9 69 49  01 54 01 c7 8f 31 9e a0
    00a0  84 35 52 9a e3 23 12 eb  af 84 8a 51 0d 44 71 22
    00b0  89 73 77 24 3b fe 41 0c  22 b2 52 ef cc 5e cf f7
    00c0  0d ab df f6 84 7e 6e f5  c5 fd d8 1b 3f 4d 30 69
    00d0  62 07 96 c2 cd e5 2a c1  fa 32 25 e6 54 2a 02 00
    00e0  34 20 f3 92 3d 04 5c fc  a3 3f 74 72 cb 64 12 aa
    00f0  7b 3d bf 53 2b 85 4f 93  61 c0 47 39 5c 3f 39 38
    0100  ba eb a3 1f 97 d5 31 b3  e1 02 03 01 00 01
Zertifikaterweiterungen: 4
    2.5.29.15: Kennzeichen = 1(Kritisch), Länge = 4
    Schlüsselverwendung
        Digitale Signatur, Schlüsselverschlüsselung (a0)

    2.5.29.37: Kennzeichen = 0, Länge = 16
    Erweiterte Schlüsselverwendung
        Clientauthentifizierung (1.3.6.1.5.5.7.3.2)
        Serverauthentifizierung (1.3.6.1.5.5.7.3.1)

    2.5.29.17: Kennzeichen = 0, Länge = 20
    Alternativer Antragstellername
        DNS-Name=server.domain.ext

    2.5.29.14: Kennzeichen = 0, Länge = 16
    Schlüsselkennung des Antragstellers
        dddfec8c6cf7c7c6d172f085a81abfcf16d5983c

Signaturalgorithmus:
    Algorithmus Objekt-ID: 1.2.840.113549.1.1.11 sha256RSA
    Algorithmusparameter:
    05 00
Signatur: Nicht verwendete Bits=0
    0000  87 79 17 1f 2e 2f 16 34  1b 32 7e 7e 2c 62 50 cb
    0010  47 e1 5b b8 55 4e ee f2  57 1f 12 72 a9 c7 7a 05
    0020  39 5e 0b c3 18 9c 84 ab  7a da 9f 8c b2 c5 41 9d
    0030  1e 3b 9e 17 85 b5 00 36  48 e5 81 3b 0d 81 03 c6
    0040  e9 4d c9 af eb 04 96 5d  0f 1a a9 a0 85 08 fd 9c
    0050  75 e7 50 28 9d ae 95 bd  fa 20 6d 7a 85 46 0e 95
    0060  31 75 c1 31 39 5e 79 f2  f7 da 46 ab 0b c5 4e 70
    0070  91 09 88 52 26 b3 76 fb  f1 ea 59 02 d5 1f 67 ad
    0080  c7 d0 19 64 72 f3 2f b4  83 13 58 08 7c 19 c8 1e
    0090  72 30 ec 56 70 19 49 c5  9b e8 33 94 60 10 ea 1e
    00a0  b2 7f bd 59 d3 b1 eb ad  36 5f 02 68 d4 67 bb 04
    00b0  07 97 33 81 eb 35 78 ac  a4 f4 97 5e c7 17 1e 41
    00c0  2e 7d 21 42 b5 6b 4c b8  ab 4e bc a5 9a 78 88 4f
    00d0  cb 36 d9 6a f6 e9 7e 77  b0 57 7c 6d 27 ad 37 b0
    00e0  63 9e f1 3d bd 35 b2 57  bc 2d 71 e9 bd 79 a6 68
    00f0  d5 f4 8e 0f 5b 96 72 a3  1e 96 63 89 28 3c f2 12
Signatur stimmt mit dem öffentlichen Schlüssel überein.
Stammzertifikat: Antragsteller stimmt mit Aussteller überein
Schlüssel-ID-Hash(rfc-sha1): dddfec8c6cf7c7c6d172f085a81abfcf16d5983c
Schlüssel-ID-Hash(sha1): be6bbd89f8ea16f126b75c2f75ad92b555ad6fe6
Schlüssel-ID-Hash(bcrypt-sha1): 171330ecc06d69d1950068712b5246a44010f771
Schlüssel-ID-Hash(bcrypt-sha256): 1651d16598283c40c01db324dc86fe984a03dcba1763ce2f8168b0e9a84a5ead
Schlüssel-ID-Hash(md5): 0296f5c544f2e9e961406f31ca8d08e1
Schlüssel-ID-Hash(sha256): 1c49d69a2ecd2cd83cf6e69ad3f2b61d4501612220ab4d920536b39377cdbbde
Schlüssel-ID-Hash(pin-sha256): UOE1weOPp68RhPH3KJljV4uNxCUlTuRNNxxjNcp5nsc=
Schlüssel-ID-Hash(pin-sha256-hex): 50e135c1e38fa7af1184f1f7289963578b8dc425254ee44d371c6335ca799ec7
Zertifikathash(md5): 0384e0ff56782ed14bbf7f79c7305f50
Zertifikathash(sha1): a882eacbf979fe5d527c054739db6470edbbcecf
Zertifikathash(sha256): 18cc45306a80d9e4acbb57f317f0a6ff54302dfe79b0ebeedab688fb12d2cc36
Signaturhash: d292ed886d7238016f9f0dd4012400eb079bad20bde426cc08ac53eb62ebd94b

  CERT_REQUEST_ORIGINATOR_PROP_ID(71):
    server.domain.ext

  CERT_KEY_PROV_INFO_PROP_ID(2):
    Schlüsselcontainer = te-f76ac30b-6b31-4a5b-908b-7fc13805520d
  Eindeutiger Containername: 834c1ee2c3102b4857266aff31217cdc_08362898-ea60-4152-aba7-8972405a699f
    Anbieter = Microsoft Software Key Storage Provider
    Anbietertyp = 0
  Kennzeichen = 20 (32)
    CRYPT_MACHINE_KEYSET -- 20 (32)
    Schlüsselspez. = 0 -- XCN_AT_NONE

  CERT_SUBJECT_PUB_KEY_BIT_LENGTH_PROP_ID(92):
    0x00000800 (2048)

  CERT_SHA1_HASH_PROP_ID(3):
    a882eacbf979fe5d527c054739db6470edbbcecf

  CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID(25):
    0296f5c544f2e9e961406f31ca8d08e1

  CERT_KEY_IDENTIFIER_PROP_ID(20):
    dddfec8c6cf7c7c6d172f085a81abfcf16d5983c

  CERT_SIGNATURE_HASH_PROP_ID(15) disallowedHash:
 d292ed886d7238016f9f0dd4012400eb079bad20bde426cc08ac53eb62ebd94b

  CERT_MD5_HASH_PROP_ID(4):
    0384e0ff56782ed14bbf7f79c7305f50

  CERT_ACCESS_STATE_PROP_ID(14):
  AccessState = 6
    CERT_ACCESS_STATE_SYSTEM_STORE_FLAG -- 2
    CERT_ACCESS_STATE_LM_SYSTEM_STORE_FLAG -- 4

  Anbieter = Microsoft Software Key Storage Provider
  Anbietertyp = 0
  Eindeutiger Containername: 834c1ee2c3102b4857266aff31217cdc_08362898-ea60-4152-aba7-8972405a699f
  AD(AT_NONE): 1633d2f878d41a9ec3ae1f5aaef48c6dea5d4f87
  AD(AT_KEYEXCHANGE): 81ceb7386b0c9efea2c1a8554db729c63b7b0bd3
  AD(AT_SIGNATURE): aa3d2364b669d1cd033b73a4eaae4a76f2892c4c
  RSA
  UI Policy = 0
    Version: 0
  Export Policy = 1
    NCRYPT_ALLOW_EXPORT_FLAG -- 1
  Name: te-f76ac30b-6b31-4a5b-908b-7fc13805520d
  Algorithm Group: RSA
  Algorithm Name: RSA
  Length: 2048 (0x800)
  Lengths:
    dwMinLength = 512 (0x200)
    dwMaxLength = 16384 (0x4000)
    dwIncrement = 8 (0x8)
    dwDefaultLength = 1024 (0x400)
  Block Length: 256 (0x100)
  UI Policy:
    dwVersion = 1 (0x1)
    dwFlags = 0 (0x0)
    pszCreationTitle = (null)
    pszFriendlyName = (null)
    pszDescription = (null)
  Export Policy: 1 (0x1)
    NCRYPT_ALLOW_EXPORT_FLAG -- 1

  HWND Handle:Binary:
0000    10 00 01 00 00 00 00 00                            ........
  Key Usage: 3 (0x3)
    NCRYPT_ALLOW_DECRYPT_FLAG -- 1
    NCRYPT_ALLOW_SIGNING_FLAG -- 2

  Security Descr: D:P(A;;0xd01f01ff;;;CO)(A;;0xd01f01ff;;;S-1-5-21-1503560103-883850456-3842169011-3220)(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)
  Modified: 20.07.2021 10:26
  Virtual Iso: 0 (0x0)
  Per Boot Key: 0 (0x0)
  Key Usage = 3
    NCRYPT_ALLOW_DECRYPT_FLAG -- 1
    NCRYPT_ALLOW_SIGNING_FLAG -- 2

  D:P(A;;0xd01f01ff;;;CO)(A;;0xd01f01ff;;;S-1-5-21-1503560103-883850456-3842169011-3220)(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)

    Zulassen Schreiben  ERSTELLER-BESITZER
    Zulassen Schreiben  DOMAIN\svc-lithnetams$
    Zulassen Schreiben  NT-AUTORITÄT\SYSTEM
    Zulassen Schreiben  VORDEFINIERT\Administratoren

[ryannewington]

Ok, nothing strange there. I'm wondering if I have a localization issue somewhere in the code.

From an admin command prompt, can you try cd %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys? Does that work or do we get a path not found error?

[Kwagnerapo]

I think on my german system I don't have the Application Data subfolder, it starts directly with Microsoft, after %ALLUSERSPROFILE%

[ScottHuman]

Hi @Kwagnerapo

This one is taking a bit more time to work through than expected.
To get you up and running while we troubleshoot in the background, you can assign the certificate manually using the following command run from an admin command prompt
Replace XXX with the thumbprint value of your certificate and ensure the appid value remains unchanged

netsh http add sslcert ipport=0.0.0.0:443 certhash=XXX appid="{4c3e21ba-7bef-46c8-bc85-a4407db6f596}"

Then reboot the service

Let us know how you go!

[Kwagnerapo]

Hey Scott,
thank you very much. I forgot to answer here.....we worked it around on friday by bypassing the localization issue with
mklink /J "Application Data" C:\ProgramData

After setting this alias everything worked fine.

Thanks again for your help!