Certifcate deployment issue

wbowsher · 4 April 2018 11:16

I am trying to deploy an MVC4 application to Windows Server 2008 R2 with IIS7, the application uses a third party library for ADFS authentication and authorisation which requires 3 certificates. All of the certificates are already installed on the server but I have steps in my deployment to redeploy them so that certificates can be managed by the support team.

In the Certificate step I have an access rule specified that should allow the service account to access the private key.

I am currently getting the following when the certificate install step is executed

There was an error importing the certificate into the store
Error
Could not set security on private-key
Error
System.Exception
Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(ICollection`1 accessRules, SafeCertContextHandle certificate)
Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules)
Error
   at Calamari.Commands.ImportCertificateCommand.ImportCertificate(CalamariVariableDictionary variables)
Error
   at Calamari.Commands.ImportCertificateCommand.Execute(String[] commandLineArguments)
Error
   at Calamari.Program.Execute(String[] args)
Error
--Inner Exception--
Error
Cannot find the certificate and private key for decryption.
Error
System.Security.Cryptography.CryptographicException
Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetCspPrivateKeySecurity(SafeCertContextHandle certificate, ICollection`1 accessRules)
Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(ICollection`1 accessRules, SafeCertContextHandle certificate)
Fatal
The remote script failed with exit code 100
Fatal
Deploy ADFS Token Encryption Certificate on Application Server

Robert_Wagner · 4 April 2018 23:31

Hi William,

This error indicates that the service account does not have access to change the permissions on the private key. Read access is not enough.

The easiest way to resolve this is to remove the certificates manually and then deploy them using Octopus.

Rob W

wbowsher · 5 April 2018 13:03

Thanks for the response Robert,

The service account is a local admin. I have tried your suggested fix of removing the certificates and letting Octopus deploy them but this results in the same error.

The certificate gets pushed to the Trusted Publisher folder and then the permissions step fails.

Shane_Gill · 10 April 2018 22:22

The issue was solved:

It would appear that being an Administrator on Windows does not give you full permissions to all folders, we explicitly needed to add full rights to the following folder
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
to our Deployment account, once this was done it all worked like a charm.

system · 10 May 2018 22:22

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.