[WiX-users] Failure using Wix installer certificates with WCF

Mon, 28 Jul 2008 11:58:48 -0700 

I have a wix project that uses the IIS extension to install a simple
x509 certificate. Here is my wix snippet:

 

    <Binary Id="BIN_MyCertificate.pfx"
SourceFile="$(var.Binaries)\MyCertificate.pfx" />

    

    <DirectoryRef Id="INSTALLLOCATION">

      <?define ComponentGuid = f128910b-318d-4b3f-96c3-f59610bbfce5 ?>

 

      <Component Id="CP_ MyCertificate.pfx" Guid="$(var.ComponentGuid)"
KeyPath="yes">

 

        <iis:Certificate Id="CERT_ MyCertificate.pfx"

                         BinaryKey="BIN_ MyCertificate "

                         Name="My Certificate"

                         Overwrite="yes"

                         PFXPassword="MyPassword"

                         Request="no"

                         StoreLocation="localMachine"

                         StoreName="personal" />

      </Component>

 

    </DirectoryRef>

 

The certificate appears to install ok. I then use a custom action to
execute the winhttpcertcfg utility to adjust the permissions this
certificate. That appears to work too.  However, when I try to run a WCF
based service (in IIS), I get the error below, in the event log. If I
try running an install without have Wix do the certificate installation
(ie I manually install it), everything works ok.  When Wix installs the
certificate, I can see the entry in the MMC console, but WCF won't use
it.

 

Am I missing something here, or is there a known bug concerning this
scenario?

 

Thanks, John

 

(Event log details below)

 

WebHost failed to process a request.

 Sender Information:
System.ServiceModel.ServiceHostingEnvironment+HostingManager/18271112

 Exception: System.ServiceModel.ServiceActivationException: The service
'/SelectServer/Integration/v1/Registration.svc' cannot be activated due
to an exception during compilation.  The exception message is: The
certificate 'CN=My Certificate' must have a private key that is capable
of key exchange. The process must have access rights for the private
key.. ---> System.ArgumentException: The certificate 'CN=My Certificate'
must have a private key that is capable of key exchange. The process
must have access rights for the private key. --->
System.Security.Cryptography.CryptographicException: Keyset does not
exist

 

   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters
parameters, Boolean randomKeyContainer)

   at
System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType
keyType, CspParameters parameters, Boolean randomKeyContainer, Int32
dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)

   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()

   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32
dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)

   at
System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameter
s parameters)

   at
System.Security.Cryptography.X509Certificates.X509Certificate2.get_Priva
teKey()

   at
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExch
ange(X509Certificate2 certificate)

   --- End of inner exception stack trace ---

   at
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExch
ange(X509Certificate2 certificate)

   at
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea
teServerX509TokenProvider()

   at
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea
teLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequireme
nt recipientRequirement)

   at
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea
teSecurityTokenProvider(SecurityTokenRequirement requirement)

   at
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea
teTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequi
rement recipientRequirement)

   at
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea
teTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRe
quirement recipientRequirement, Boolean requireClientCertificate,
SecurityTokenResolver& sctResolver)

   at
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea
teSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement,
SecurityTokenResolver& outOfBandTokenResolver)

   at
System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.S
essionRenewSecurityTokenManager.CreateSecurityTokenAuthenticator(Securit
yTokenRequirement tokenRequirement, SecurityTokenResolver&
outOfBandTokenResolver)

   at
System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(Tim
eSpan timeout)

   at
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(T
imeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout)

   at System.ServiceModel.Security.SecurityProtocolFactory.Open(Boolean
actAsInitiator, TimeSpan timeout)

   at
System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Ope
n(TimeSpan timeout)

   at
System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan
timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout)

   at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan
timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout)

   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout)

   at
System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.O
nOpen(TimeSpan timeout)

   at
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(T
imeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout)

   at
System.ServiceModel.Security.CommunicationObjectSecurityTokenAuthenticat
or.Open(TimeSpan timeout)

   at
System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequi
red(SecurityTokenAuthenticator tokenAuthenticator, TimeSpan timeout)

   at
System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSp
an timeout)

   at
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(T
imeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout)

   at
System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Ope
n(TimeSpan timeout)

   at
System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan
timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout)

   at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan
timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout)

   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)

   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout)

   at
System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateSer
vice(String normalizedVirtualPath)

   at
System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServi
ceAvailable(String normalizedVirtualPath)

   --- End of inner exception stack trace ---

   at
System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServi
ceAvailable(String normalizedVirtualPath)

   at
System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast
(String relativeVirtualPath)

 Process Name: w3wp

 Process ID: 4000

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

Reply via email to