view keystore names

Discussion in 'ASP .Net Security' started by Chuck, Apr 8, 2010.

  1. Chuck

    Chuck Guest

    If I use aspnet_regiis to create a machine encryption key.
    How can I view the keystore names on the computer.
    I was trying to use the MMC certificates snap in but couldn't find the one I
    created.

    Thanks,
    Chuck, Apr 8, 2010
    #1
    1. Advertising

  2. Hi Chuck,

    If your asp.net install correctly, when you run the aspnet_regiis command,
    you can view the certificate in the following way:

    To view certificates in the MMC snap-in

    1.Open a Command Prompt window.
    2.Type mmc and press the ENTER key. Note that to view certificates in the
    local machine store, you must be in the Administrator role.
    3.On the File menu, click Add/Remove Snap In.
    4.Click Add.
    5.In the Add Standalone Snap-in dialog box, select Certificates.
    6.Click Add.
    7.In the Certificates snap-in dialog box, select Computer account and click
    Next. Optionally, you can select My User account or Service account. If you
    are not an administrator of the computer, you can manage certificates only
    for your user account.
    8.In the Select Computer dialog box, click Finish.
    9.In the Add Standalone Snap-in dialog box, click Close.
    10.On the Add/Remove Snap-in dialog box, click OK.
    11.In the Console Root window, click Certificates (Local Computer) to view
    the certificate stores for the computer.
    12.Optional. To view certificates for your account, repeat steps 3 to 6. In
    step 7, instead of selecting Computer account, click My User account and
    repeat steps 8 to 10.
    13.Optional. On the File menu, click Save or Save As. Save the console file
    for later reuse.


    Viewing Certificates with Internet Explorer

    You can also view, export, import, and delete certificates by using
    Internet Explorer.
    To view certificates with Internet Explorer
    1.In Internet Explorer, click Tools, then click Internet Options to display
    the Internet Options dialog box.
    2.Click the Content tab.
    3.Under Certificates, click Certificates.
    4.To view details of any certificate, select the certificate and click View.

    The following procedure demonstrates how to examine the stores on a
    computer to find an appropriate certificate.
    http://msdn.microsoft.com/en-us/library/ms788967.aspx
    http://quickstart.developerfusion.co.uk/QuickStart/aspnet/doc/management/too
    ls.aspx

    If you still can't see the certificate, it is because the .net and IIs
    version is not compatible, please refer the following link to resolve it.
    http://geekswithblogs.net/marlon/archive/2006/01/22/66645.aspx
    http://www.issociate.de/board/post/306008/ASP.NET_2.0_MMC_snap-in.html

    --
    Best Regards,
    Zhi-Qiang Ni
    Microsoft Online Support
    Zhi-Qiang Ni[MSFT], Apr 13, 2010
    #2
    1. Advertising

  3. Chuck

    Chuck Guest

    That is exactly what I did, but I don't see the machine encryption key
    generated by aspnet_regiis.
    I know it was created because it is encrypting my web.config file.
    Is this the place you would look to find the machine encryption key.
    Under what certificate folder would it be in?



    "Zhi-Qiang Ni[MSFT]" wrote:

    > Hi Chuck,
    >
    > If your asp.net install correctly, when you run the aspnet_regiis command,
    > you can view the certificate in the following way:
    >
    > To view certificates in the MMC snap-in
    >
    > 1.Open a Command Prompt window.
    > 2.Type mmc and press the ENTER key. Note that to view certificates in the
    > local machine store, you must be in the Administrator role.
    > 3.On the File menu, click Add/Remove Snap In.
    > 4.Click Add.
    > 5.In the Add Standalone Snap-in dialog box, select Certificates.
    > 6.Click Add.
    > 7.In the Certificates snap-in dialog box, select Computer account and click
    > Next. Optionally, you can select My User account or Service account. If you
    > are not an administrator of the computer, you can manage certificates only
    > for your user account.
    > 8.In the Select Computer dialog box, click Finish.
    > 9.In the Add Standalone Snap-in dialog box, click Close.
    > 10.On the Add/Remove Snap-in dialog box, click OK.
    > 11.In the Console Root window, click Certificates (Local Computer) to view
    > the certificate stores for the computer.
    > 12.Optional. To view certificates for your account, repeat steps 3 to 6. In
    > step 7, instead of selecting Computer account, click My User account and
    > repeat steps 8 to 10.
    > 13.Optional. On the File menu, click Save or Save As. Save the console file
    > for later reuse.
    >
    >
    > Viewing Certificates with Internet Explorer
    >
    > You can also view, export, import, and delete certificates by using
    > Internet Explorer.
    > To view certificates with Internet Explorer
    > 1.In Internet Explorer, click Tools, then click Internet Options to display
    > the Internet Options dialog box.
    > 2.Click the Content tab.
    > 3.Under Certificates, click Certificates.
    > 4.To view details of any certificate, select the certificate and click View.
    >
    > The following procedure demonstrates how to examine the stores on a
    > computer to find an appropriate certificate.
    > http://msdn.microsoft.com/en-us/library/ms788967.aspx
    > http://quickstart.developerfusion.co.uk/QuickStart/aspnet/doc/management/too
    > ls.aspx
    >
    > If you still can't see the certificate, it is because the .net and IIs
    > version is not compatible, please refer the following link to resolve it.
    > http://geekswithblogs.net/marlon/archive/2006/01/22/66645.aspx
    > http://www.issociate.de/board/post/306008/ASP.NET_2.0_MMC_snap-in.html
    >
    > --
    > Best Regards,
    > Zhi-Qiang Ni
    > Microsoft Online Support
    >
    >
    > .
    >
    Chuck, Apr 13, 2010
    #3
  4. Hi Chuck

    When you use Aspnet_regiis.exe utility tool to encypt the web.config
    section,the DPAPI machine key is stored at the following location:
    %windir%\system32\Microsoft\Protect\S-1-5-18

    But you can't view it, it is encypted.
    Please check the following link:
    http://msdn.microsoft.com/en-us/library/ms998280.aspx#paght000005_step2

    --
    Best Regards,
    Zhi-Qiang Ni
    Microsoft Online Support
    Zhi-Qiang Ni[MSFT], Apr 16, 2010
    #4
  5. Chuck

    Chuck Guest

    So their are no tools or code or methods to check what keys are present and
    their KeyStore names?
    Chuck, Apr 16, 2010
    #5
  6. Chuck

    Chuck Guest

    p.s I'm not using the DPAPI machine key.
    Chuck, Apr 16, 2010
    #6
  7. Hi Chuck,

    Please post your code how to use aspnet_regiis to create a machine
    encryption key.

    When you use aspnet_regiis to encypt the section of web.config, you aassign
    DataProtectionConfigurationProvider.

    The DataProtectionConfigurationProvider uses the Windows Data Protection
    API (DPAPI) underneath the covers. This provider a machine-specific secret
    key for encryption and decryption work. Because the
    DataProtectionConfigurationProvider relies on a machine-specific key.

    So it store in %windir%\system32\Microsoft\Protect\S-1-5-18.
    I do't find a way to view it.
    But when you assign RSA Key Container with aspnet_regiis, you can use the
    following way to export the custom RSA key container to an XML file.
    http://msdn.microsoft.com/en-us/library/f5cs0acs.aspx
    http://msdn.microsoft.com/en-us/library/2w117ede.aspx

    Please refer the following link:
    http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
    http://odetocode.com/Articles/418.aspx

    --
    Best Regards,
    Zhi-Qiang Ni
    Microsoft Online Support
    Zhi-Qiang Ni[MSFT], Apr 19, 2010
    #7
  8. Chuck

    Chuck Guest

    aspnet_regiis -pz WebEncryptionKey
    aspnet_regiis -pc WebEncryptionKey -exp
    aspnet_regiis.exe -pef connectionStrings . -prov HrCustomProvider



    <configProtectedData>
    <providers>
    <clear/>
    <add name="HrCustomProvider" keyContainerName="WebEncryptionKey"
    useMachineContainer="true" description="Uses RsaCryptoServiceProvider to
    encrypt and decrypt"
    type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
    </providers>
    </configProtectedData>




    "Zhi-Qiang Ni[MSFT]" wrote:

    > Hi Chuck,
    >
    > Please post your code how to use aspnet_regiis to create a machine
    > encryption key.
    >
    > When you use aspnet_regiis to encypt the section of web.config, you aassign
    > DataProtectionConfigurationProvider.
    >
    > The DataProtectionConfigurationProvider uses the Windows Data Protection
    > API (DPAPI) underneath the covers. This provider a machine-specific secret
    > key for encryption and decryption work. Because the
    > DataProtectionConfigurationProvider relies on a machine-specific key.
    >
    > So it store in %windir%\system32\Microsoft\Protect\S-1-5-18.
    > I do't find a way to view it.
    > But when you assign RSA Key Container with aspnet_regiis, you can use the
    > following way to export the custom RSA key container to an XML file.
    > http://msdn.microsoft.com/en-us/library/f5cs0acs.aspx
    > http://msdn.microsoft.com/en-us/library/2w117ede.aspx
    >
    > Please refer the following link:
    > http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
    > http://odetocode.com/Articles/418.aspx
    >
    > --
    > Best Regards,
    > Zhi-Qiang Ni
    > Microsoft Online Support
    >
    > .
    >
    Chuck, Apr 19, 2010
    #8
  9. Hi Chuck,

    The DPAPI machine key is the machine key, it is Windows Data Protection API
    (DPAPI).
    The DataProtectionConfigurationProvider uses the Windows Data Protection
    API (DPAPI) underneath the covers. This provider a machine-specific secret
    key for encryption and decryption work. Because the
    DataProtectionConfigurationProvider relies on a machine-specific key.
    So the system will use DPAPI to encypt it although you do't notice it, it
    is default.

    So it store in %windir%\system32\Microsoft\Protect\S-1-5-18.
    The ASP.NET generates a random key and stores it in the Local Security
    Authority (LSA).
    I do't find a way to view the LSA.
    Please check the following link:
    http://msdn.microsoft.com/en-us/library/ms998280.aspx#paght000005_step2

    --
    Best Regards,
    Zhi-Qiang Ni
    Microsoft Online Support
    Zhi-Qiang Ni[MSFT], Apr 20, 2010
    #9
  10. Chuck

    Chuck Guest

    I use the default which is now RSA if you want to use the DPAPI you must
    specify it.
    I use RSA.
    Please see:
    http://msdn.microsoft.com/en-us/library/ms998283(v=MSDN.10).aspx




    "Zhi-Qiang Ni[MSFT]" wrote:

    > Hi Chuck,
    >
    > The DPAPI machine key is the machine key, it is Windows Data Protection API
    > (DPAPI).
    > The DataProtectionConfigurationProvider uses the Windows Data Protection
    > API (DPAPI) underneath the covers. This provider a machine-specific secret
    > key for encryption and decryption work. Because the
    > DataProtectionConfigurationProvider relies on a machine-specific key.
    > So the system will use DPAPI to encypt it although you do't notice it, it
    > is default.
    >
    > So it store in %windir%\system32\Microsoft\Protect\S-1-5-18.
    > The ASP.NET generates a random key and stores it in the Local Security
    > Authority (LSA).
    > I do't find a way to view the LSA.
    > Please check the following link:
    > http://msdn.microsoft.com/en-us/library/ms998280.aspx#paght000005_step2
    >
    > --
    > Best Regards,
    > Zhi-Qiang Ni
    > Microsoft Online Support
    >
    > .
    >
    Chuck, Apr 20, 2010
    #10
  11. Hi Chuck,

    You are right, Your link has specify the detail.
    The RSAProtectedConfigurationProvider is the default provider and uses the
    RSA public key encryption to encrypt and decrypt data.

    If you use Machine Key Container.
    RSA machine key containers are stored in the following folder:
    \Documents and Settings\All Users\Application
    Data\Microsoft\Crypto\RSA\MachineKeys

    If you use RSA user-level key containers.
    RSA user-level key containers are stored in the following folder:
    \Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA
    And run the following command from a command prompt to import the custom
    RSA encryption keys:
    aspnet_regiis -pi "CustomKeys" "C:\CustomKeys.xml"

    --
    Best Regards,
    Zhi-Qiang Ni
    Microsoft Online Support
    Zhi-Qiang Ni[MSFT], Apr 21, 2010
    #11
  12. Zhi-Qiang Ni[MSFT], Apr 21, 2010
    #12
  13. Chuck

    Chuck Guest

    If I use aspnet_regiis to create a RSA machine encryption key.
    How can I view the keystore names on the computer.
    I was trying to use the MMC certificates snap in but couldn't find the one I
    created.

    Thanks,



    "Zhi-Qiang Ni[MSFT]" wrote:

    > Hi Chuck,
    >
    > If you assign RSA Key Container with aspnet_regiis, you can use the
    > following way to export the custom RSA key container to an XML file.
    > http://msdn.microsoft.com/en-us/library/f5cs0acs.aspx
    > http://msdn.microsoft.com/en-us/library/2w117ede.aspx
    >
    > --
    > Best Regards,
    > Zhi-Qiang Ni
    > Microsoft Online Support
    >
    > .
    >
    Chuck, Apr 21, 2010
    #13
  14. Hi Chuck,

    As far as I know, the MMC is used to manage the Certificates,such as X.509
    certificate,ssl certificate.
    The location 'C:\Documents and Settings\All Users\Application
    Data\Microsoft\Crypto\RSA\MachineKeys store the encyption key.
    When you use Aspnet_regiis.exe utility tool to encypt the web.config
    section,it will generate the key store, it store key into the above
    location.

    So you can't use the mmc to view encryption key, it used to manage the
    certificate not the key.
    If you create the RSA Key Container, you can use the following way to view
    the public key and private key:
    For example, the following command exports the machine-level RSA key
    container named SampleKeys to the file named keys.xml and includes the
    private key information.
    aspnet_regiis -px "SampleKeys" keys.xml -pri

    Please check the following link:
    http://msdn.microsoft.com/en-us/library/yxw286t2(VS.80).aspx

    --
    Best Regards,
    Zhi-Qiang Ni
    Microsoft Online Support

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    MSDN Managed Newsgroup support offering is for non-urgent issues where an
    initial response from the community or a Microsoft Support Engineer within
    2 business day is acceptable. Please note that each follow up response may
    take approximately 2 business days as the support professional working with
    you may need further investigation to reach the most efficient resolution.
    The offering is not appropriate for situations that require urgent,
    real-time or phone-based interactions. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    ==================================================
    Zhi-Qiang Ni[MSFT], Apr 23, 2010
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Salvo
    Replies:
    3
    Views:
    4,742
    John Salvo
    Sep 9, 2003
  2. Andrew Thompson
    Replies:
    5
    Views:
    9,249
    Andrew Thompson
    Dec 12, 2003
  3. Rogue Chameleon

    KeyStore and PublicKey

    Rogue Chameleon, Sep 27, 2004, in forum: Java
    Replies:
    3
    Views:
    396
    Sudsy
    Sep 27, 2004
  4. Fritz Bayer

    Hardcode keystore into java program

    Fritz Bayer, Oct 24, 2004, in forum: Java
    Replies:
    1
    Views:
    1,180
    Rogan Dawes
    Oct 25, 2004
  5. Parthiv Joshi
    Replies:
    1
    Views:
    641
    Samuel L Matzen
    Jul 6, 2004
Loading...

Share This Page