view keystore names

C

Chuck

If I use aspnet_regiis to create a machine encryption key.
How can I view the keystore names on the computer.
I was trying to use the MMC certificates snap in but couldn't find the one I
created.

Thanks,
 
Z

Zhi-Qiang Ni[MSFT]

Hi Chuck,

If your asp.net install correctly, when you run the aspnet_regiis command,
you can view the certificate in the following way:

To view certificates in the MMC snap-in

1.Open a Command Prompt window.
2.Type mmc and press the ENTER key. Note that to view certificates in the
local machine store, you must be in the Administrator role.
3.On the File menu, click Add/Remove Snap In.
4.Click Add.
5.In the Add Standalone Snap-in dialog box, select Certificates.
6.Click Add.
7.In the Certificates snap-in dialog box, select Computer account and click
Next. Optionally, you can select My User account or Service account. If you
are not an administrator of the computer, you can manage certificates only
for your user account.
8.In the Select Computer dialog box, click Finish.
9.In the Add Standalone Snap-in dialog box, click Close.
10.On the Add/Remove Snap-in dialog box, click OK.
11.In the Console Root window, click Certificates (Local Computer) to view
the certificate stores for the computer.
12.Optional. To view certificates for your account, repeat steps 3 to 6. In
step 7, instead of selecting Computer account, click My User account and
repeat steps 8 to 10.
13.Optional. On the File menu, click Save or Save As. Save the console file
for later reuse.


Viewing Certificates with Internet Explorer

You can also view, export, import, and delete certificates by using
Internet Explorer.
To view certificates with Internet Explorer
1.In Internet Explorer, click Tools, then click Internet Options to display
the Internet Options dialog box.
2.Click the Content tab.
3.Under Certificates, click Certificates.
4.To view details of any certificate, select the certificate and click View.

The following procedure demonstrates how to examine the stores on a
computer to find an appropriate certificate.
http://msdn.microsoft.com/en-us/library/ms788967.aspx
http://quickstart.developerfusion.co.uk/QuickStart/aspnet/doc/management/too
ls.aspx

If you still can't see the certificate, it is because the .net and IIs
version is not compatible, please refer the following link to resolve it.
http://geekswithblogs.net/marlon/archive/2006/01/22/66645.aspx
http://www.issociate.de/board/post/306008/ASP.NET_2.0_MMC_snap-in.html
 
C

Chuck

That is exactly what I did, but I don't see the machine encryption key
generated by aspnet_regiis.
I know it was created because it is encrypting my web.config file.
Is this the place you would look to find the machine encryption key.
Under what certificate folder would it be in?
 
C

Chuck

So their are no tools or code or methods to check what keys are present and
their KeyStore names?
 
Z

Zhi-Qiang Ni[MSFT]

Hi Chuck,

Please post your code how to use aspnet_regiis to create a machine
encryption key.

When you use aspnet_regiis to encypt the section of web.config, you aassign
DataProtectionConfigurationProvider.

The DataProtectionConfigurationProvider uses the Windows Data Protection
API (DPAPI) underneath the covers. This provider a machine-specific secret
key for encryption and decryption work. Because the
DataProtectionConfigurationProvider relies on a machine-specific key.

So it store in %windir%\system32\Microsoft\Protect\S-1-5-18.
I do't find a way to view it.
But when you assign RSA Key Container with aspnet_regiis, you can use the
following way to export the custom RSA key container to an XML file.
http://msdn.microsoft.com/en-us/library/f5cs0acs.aspx
http://msdn.microsoft.com/en-us/library/2w117ede.aspx

Please refer the following link:
http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
http://odetocode.com/Articles/418.aspx
 
C

Chuck

aspnet_regiis -pz WebEncryptionKey
aspnet_regiis -pc WebEncryptionKey -exp
aspnet_regiis.exe -pef connectionStrings . -prov HrCustomProvider



<configProtectedData>
<providers>
<clear/>
<add name="HrCustomProvider" keyContainerName="WebEncryptionKey"
useMachineContainer="true" description="Uses RsaCryptoServiceProvider to
encrypt and decrypt"
type="System.Configuration.RsaProtectedConfigurationProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</configProtectedData>
 
Z

Zhi-Qiang Ni[MSFT]

Hi Chuck,

The DPAPI machine key is the machine key, it is Windows Data Protection API
(DPAPI).
The DataProtectionConfigurationProvider uses the Windows Data Protection
API (DPAPI) underneath the covers. This provider a machine-specific secret
key for encryption and decryption work. Because the
DataProtectionConfigurationProvider relies on a machine-specific key.
So the system will use DPAPI to encypt it although you do't notice it, it
is default.

So it store in %windir%\system32\Microsoft\Protect\S-1-5-18.
The ASP.NET generates a random key and stores it in the Local Security
Authority (LSA).
I do't find a way to view the LSA.
Please check the following link:
http://msdn.microsoft.com/en-us/library/ms998280.aspx#paght000005_step2
 
Z

Zhi-Qiang Ni[MSFT]

Hi Chuck,

You are right, Your link has specify the detail.
The RSAProtectedConfigurationProvider is the default provider and uses the
RSA public key encryption to encrypt and decrypt data.

If you use Machine Key Container.
RSA machine key containers are stored in the following folder:
\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys

If you use RSA user-level key containers.
RSA user-level key containers are stored in the following folder:
\Documents and Settings\{UserName}\Application Data\Microsoft\Crypto\RSA
And run the following command from a command prompt to import the custom
RSA encryption keys:
aspnet_regiis -pi "CustomKeys" "C:\CustomKeys.xml"
 
C

Chuck

If I use aspnet_regiis to create a RSA machine encryption key.
How can I view the keystore names on the computer.
I was trying to use the MMC certificates snap in but couldn't find the one I
created.

Thanks,
 
Z

Zhi-Qiang Ni[MSFT]

Hi Chuck,

As far as I know, the MMC is used to manage the Certificates,such as X.509
certificate,ssl certificate.
The location 'C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys store the encyption key.
When you use Aspnet_regiis.exe utility tool to encypt the web.config
section,it will generate the key store, it store key into the above
location.

So you can't use the mmc to view encryption key, it used to manage the
certificate not the key.
If you create the RSA Key Container, you can use the following way to view
the public key and private key:
For example, the following command exports the machine-level RSA key
container named SampleKeys to the file named keys.xml and includes the
private key information.
aspnet_regiis -px "SampleKeys" keys.xml -pri

Please check the following link:
http://msdn.microsoft.com/en-us/library/yxw286t2(VS.80).aspx

--
Best Regards,
Zhi-Qiang Ni
Microsoft Online Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

MSDN Managed Newsgroup support offering is for non-urgent issues where an
initial response from the community or a Microsoft Support Engineer within
2 business day is acceptable. Please note that each follow up response may
take approximately 2 business days as the support professional working with
you may need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations that require urgent,
real-time or phone-based interactions. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
474,056
Messages
2,570,446
Members
47,101
Latest member
vaibhav87

Latest Threads

Top