2

I'm trying to implement a custom STS for a WIF scenario I'm investigating, but it's failing. It's failing when trying to obtain the private key from the certificate used to sign the tokens. I create the STS with the following configuration:

var signingCert = new X509Certificate2(@"C:\<path>\MySigningCertificate.pfx");
var config
    = new SecurityTokenServiceConfiguration()
    {
        DisableWsdl = true,
        TokenIssuerName = "Tribold",
        SecurityTokenService = typeof(TriboldSecurityTokenService),
        SigningCredentials = new X509SigningCredentials(signingCert),
        CertificateValidationMode = X509CertificateValidationMode.Custom,
        CertificateValidator = new CertificateValidator()
    };

However, with WCF diagnostic logging configured, I get the following message in the Service Trace Viewer:

The private key is not present in the X.509 certificate.

This appears to be logged as the code comes out of my custom STS (i.e., after calling GetOutputClaimsIdentity(...) on my custom STS class, and therefore I can only assume that it's now trying to sign the issued security token and failing because it can't obtain a private key to do so.

The private key appears to be present on the loaded certificate:

Debug.Assert(signingCert.HasPrivateKey == true);

but it fails later on. I'm having no luck resolving this, please help!

Tim Roberts
  • 782
  • 4
  • 12
  • Just to confirm: When you look at the certificate properties with the mmc certificate snap-in does it say "You have a private key that corresponds to this certificate"? – rbrayb Jun 21 '11 at 20:27
  • @nzpcmad - Yes, the certificate has a padlock on it, and the message also appears when you double click the certificate and view it's details. I imported the .PFX files that were created from the certificates. – Tim Roberts Jun 24 '11 at 12:30

2 Answers2

1

It looks like thread "cant use .pfx file for X.509 certificates" in the Geneva (= AD FS 2.0) forums covers the same problem which you report. So the resolution reported there might work, which is "specifying the X509KeyStorageFlags.PersistKeySet flag when initiating the X509Certificate2 object".

MarnixKlooster ReinstateMonica
  • 9,640
  • 14
  • 54
  • 108
  • I came across that forum post and tried it. It didn't work and still gave me the "private key is not present" error. So frustrating. I've disabled the need to encrypt the security tokens for the time being (relying on message security), and it gets me onto the next error. – Tim Roberts Jun 21 '11 at 07:41
0

I'd be surprised if you didn't have to specify a password when opening a PFX file. X509Certificate2 has overloads that take a password in the form of a string or a SecureString.

Duncan Smart
  • 31,172
  • 10
  • 68
  • 70