locked
Changing ATA Center SSL Cert Failing RRS feed

  • Question

  • Chrome decided to change the way they handle SSL certs and apparently the common name is no longer enough to pass validation.  So i am scrambling to change all of our SSL certs that we issue from our CA.  Because of this I have to update the ATA web interface cert.  

    When i go to the ATA console and select my new cert, my gateways sync up and when i try to activate it, it says activation failed.  I saw in another post to check a log file and here is my result.  Can anyone give me any info on what is going on here? 

    2017-04-30 03:13:45.7643 3052 393 d6bb349f-57b7-490b-841d-d9cd8b2039ae Error [CryptographicException] System.Security.Cryptography.CryptographicException: Bad Key.

       at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
       at System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle pKeyContext, Byte[] pbEncryptedKey, Int32 cbEncryptedKey, Boolean fOAEP, ObjectHandleOnStack ohRetDecryptedKey)
       at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP)
       at Microsoft.Tri.Infrastructure.Utils.SecurityProvider.ReencryptAsymmetric(Byte[] encryptedData, X509Certificate2 sourceCertificate, X509Certificate2 destinationCertificate)
       at Microsoft.Tri.Center.Management.Controllers.SystemProfileController.<UpdateGatewayConfigurationsAsync>d__16.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at Microsoft.Tri.Center.Management.Controllers.SystemProfileController.<UpdateCenterSystemProfileAsync>d__7.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Threading.Tasks.TaskHelpersExtensions.<CastToObject>d__0.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__0.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__2.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Web.Http.Filters.AuthorizationFilterAttribute.<ExecuteAuthorizationFilterAsyncCore>d__2.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Web.Http.Filters.AuthorizationFilterAttribute.<ExecuteAuthorizationFilterAsyncCore>d__2.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
       at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
       at System.Web.Http.Controllers.ExceptionFilterResult.<ExecuteAsync>d__0.MoveNext()
    2017-04-30 03:13:47.6314 3052 428 60617949-403e-4e8e-bcd4-8cb5b1fbd269 Error [CryptographicException] System.Security.Cryptography.CryptographicException: Bad Key.

    Sunday, April 30, 2017 3:28 AM

All replies

  • Hello,

    Please make sure the key for certificate support both encryption and decryption.

    For example, if you use makecert.exe, you have to create certificate with "-sky Exchange", without this, you can only use the key for signing and authentication.

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 2, 2017 2:29 AM
  • Hello,

    Please make sure the key for certificate support both encryption and decryption.

    For example, if you use makecert.exe, you have to create certificate with "-sky Exchange", without this, you can only use the key for signing and authentication.

    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    I am looking at the cert (which was requested via iis server certificates) and it appears to be issued from the same template so this should already be setup correctly.  

    Anything else it can be?  

    NNatic

    Wednesday, May 3, 2017 4:20 PM
  • Hello,

    Just in case, I would recommend to check the key usage from the certificate.

    You can find the certificate from Personal -> Certificates by using certificate MMC Snap-in.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 5, 2017 10:02 AM
  • I show that mine has key encipherment but it appears different than yours.  Does that matter at all?  

    My current cert has the same setup as below.  

    


    NNatic

    Wednesday, May 10, 2017 1:30 PM
  • Hello,

    The key usage in your certificate is normal. 

    Did you use the same certificate template for requesting a new certificate for ATA center?

    Besides the common name, are there any other differences for the two certificates?

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 12, 2017 7:59 AM