Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   view keystore names (http://www.velocityreviews.com/forums/t770184-view-keystore-names.html)

Chuck 04-08-2010 10:21 PM

view keystore names
 
If I use aspnet_regiis to create a machine encryption key.
How can I view the keystore names on the computer.
I was trying to use the MMC certificates snap in but couldn't find the one I
created.

Thanks,


Zhi-Qiang Ni[MSFT] 04-13-2010 12:42 PM

RE: view keystore names
 
Hi Chuck,

If your asp.net install correctly, when you run the aspnet_regiis command,
you can view the certificate in the following way:

To view certificates in the MMC snap-in

1.Open a Command Prompt window.
2.Type mmc and press the ENTER key. Note that to view certificates in the
local machine store, you must be in the Administrator role.
3.On the File menu, click Add/Remove Snap In.
4.Click Add.
5.In the Add Standalone Snap-in dialog box, select Certificates.
6.Click Add.
7.In the Certificates snap-in dialog box, select Computer account and click
Next. Optionally, you can select My User account or Service account. If you
are not an administrator of the computer, you can manage certificates only
for your user account.
8.In the Select Computer dialog box, click Finish.
9.In the Add Standalone Snap-in dialog box, click Close.
10.On the Add/Remove Snap-in dialog box, click OK.
11.In the Console Root window, click Certificates (Local Computer) to view
the certificate stores for the computer.
12.Optional. To view certificates for your account, repeat steps 3 to 6. In
step 7, instead of selecting Computer account, click My User account and
repeat steps 8 to 10.
13.Optional. On the File menu, click Save or Save As. Save the console file
for later reuse.


Viewing Certificates with Internet Explorer

You can also view, export, import, and delete certificates by using
Internet Explorer.
To view certificates with Internet Explorer
1.In Internet Explorer, click Tools, then click Internet Options to display
the Internet Options dialog box.
2.Click the Content tab.
3.Under Certificates, click Certificates.
4.To view details of any certificate, select the certificate and click View.

The following procedure demonstrates how to examine the stores on a
computer to find an appropriate certificate.
http://msdn.microsoft.com/en-us/library/ms788967.aspx
http://quickstart.developerfusion.co...management/too
ls.aspx

If you still can't see the certificate, it is because the .net and IIs
version is not compatible, please refer the following link to resolve it.
http://geekswithblogs.net/marlon/arc.../22/66645.aspx
http://www.issociate.de/board/post/3...C_snap-in.html

--
Best Regards,
Zhi-Qiang Ni
Microsoft Online Support



Chuck 04-13-2010 02:55 PM

RE: view keystore names
 
That is exactly what I did, but I don't see the machine encryption key
generated by aspnet_regiis.
I know it was created because it is encrypting my web.config file.
Is this the place you would look to find the machine encryption key.
Under what certificate folder would it be in?



"Zhi-Qiang Ni[MSFT]" wrote:

> Hi Chuck,
>
> If your asp.net install correctly, when you run the aspnet_regiis command,
> you can view the certificate in the following way:
>
> To view certificates in the MMC snap-in
>
> 1.Open a Command Prompt window.
> 2.Type mmc and press the ENTER key. Note that to view certificates in the
> local machine store, you must be in the Administrator role.
> 3.On the File menu, click Add/Remove Snap In.
> 4.Click Add.
> 5.In the Add Standalone Snap-in dialog box, select Certificates.
> 6.Click Add.
> 7.In the Certificates snap-in dialog box, select Computer account and click
> Next. Optionally, you can select My User account or Service account. If you
> are not an administrator of the computer, you can manage certificates only
> for your user account.
> 8.In the Select Computer dialog box, click Finish.
> 9.In the Add Standalone Snap-in dialog box, click Close.
> 10.On the Add/Remove Snap-in dialog box, click OK.
> 11.In the Console Root window, click Certificates (Local Computer) to view
> the certificate stores for the computer.
> 12.Optional. To view certificates for your account, repeat steps 3 to 6. In
> step 7, instead of selecting Computer account, click My User account and
> repeat steps 8 to 10.
> 13.Optional. On the File menu, click Save or Save As. Save the console file
> for later reuse.
>
>
> Viewing Certificates with Internet Explorer
>
> You can also view, export, import, and delete certificates by using
> Internet Explorer.
> To view certificates with Internet Explorer
> 1.In Internet Explorer, click Tools, then click Internet Options to display
> the Internet Options dialog box.
> 2.Click the Content tab.
> 3.Under Certificates, click Certificates.
> 4.To view details of any certificate, select the certificate and click View.
>
> The following procedure demonstrates how to examine the stores on a
> computer to find an appropriate certificate.
> http://msdn.microsoft.com/en-us/library/ms788967.aspx
> http://quickstart.developerfusion.co...management/too
> ls.aspx
>
> If you still can't see the certificate, it is because the .net and IIs
> version is not compatible, please refer the following link to resolve it.
> http://geekswithblogs.net/marlon/arc.../22/66645.aspx
> http://www.issociate.de/board/post/3...C_snap-in.html
>
> --
> Best Regards,
> Zhi-Qiang Ni
> Microsoft Online Support
>
>
> .
>


Zhi-Qiang Ni[MSFT] 04-16-2010 10:31 AM

RE: view keystore names
 
Hi Chuck

When you use Aspnet_regiis.exe utility tool to encypt the web.config
section,the DPAPI machine key is stored at the following location:
%windir%\system32\Microsoft\Protect\S-1-5-18

But you can't view it, it is encypted.
Please check the following link:
http://msdn.microsoft.com/en-us/libr...ht000005_step2

--
Best Regards,
Zhi-Qiang Ni
Microsoft Online Support


Chuck 04-16-2010 08:41 PM

RE: view keystore names
 

So their are no tools or code or methods to check what keys are present and
their KeyStore names?


Chuck 04-16-2010 08:44 PM

RE: view keystore names
 
p.s I'm not using the DPAPI machine key.


Zhi-Qiang Ni[MSFT] 04-19-2010 10:44 AM

RE: view keystore names
 
Hi Chuck,

Please post your code how to use aspnet_regiis to create a machine
encryption key.

When you use aspnet_regiis to encypt the section of web.config, you aassign
DataProtectionConfigurationProvider.

The DataProtectionConfigurationProvider uses the Windows Data Protection
API (DPAPI) underneath the covers. This provider a machine-specific secret
key for encryption and decryption work. Because the
DataProtectionConfigurationProvider relies on a machine-specific key.

So it store in %windir%\system32\Microsoft\Protect\S-1-5-18.
I do't find a way to view it.
But when you assign RSA Key Container with aspnet_regiis, you can use the
following way to export the custom RSA key container to an XML file.
http://msdn.microsoft.com/en-us/library/f5cs0acs.aspx
http://msdn.microsoft.com/en-us/library/2w117ede.aspx

Please refer the following link:
http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
http://odetocode.com/Articles/418.aspx

--
Best Regards,
Zhi-Qiang Ni
Microsoft Online Support


Chuck 04-19-2010 02:03 PM

RE: view keystore names
 
aspnet_regiis -pz WebEncryptionKey
aspnet_regiis -pc WebEncryptionKey -exp
aspnet_regiis.exe -pef connectionStrings . -prov HrCustomProvider



<configProtectedData>
<providers>
<clear/>
<add name="HrCustomProvider" keyContainerName="WebEncryptionKey"
useMachineContainer="true" description="Uses RsaCryptoServiceProvider to
encrypt and decrypt"
type="System.Configuration.RsaProtectedConfigurati onProvider,System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
</providers>
</configProtectedData>




"Zhi-Qiang Ni[MSFT]" wrote:

> Hi Chuck,
>
> Please post your code how to use aspnet_regiis to create a machine
> encryption key.
>
> When you use aspnet_regiis to encypt the section of web.config, you aassign
> DataProtectionConfigurationProvider.
>
> The DataProtectionConfigurationProvider uses the Windows Data Protection
> API (DPAPI) underneath the covers. This provider a machine-specific secret
> key for encryption and decryption work. Because the
> DataProtectionConfigurationProvider relies on a machine-specific key.
>
> So it store in %windir%\system32\Microsoft\Protect\S-1-5-18.
> I do't find a way to view it.
> But when you assign RSA Key Container with aspnet_regiis, you can use the
> following way to export the custom RSA key container to an XML file.
> http://msdn.microsoft.com/en-us/library/f5cs0acs.aspx
> http://msdn.microsoft.com/en-us/library/2w117ede.aspx
>
> Please refer the following link:
> http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx
> http://odetocode.com/Articles/418.aspx
>
> --
> Best Regards,
> Zhi-Qiang Ni
> Microsoft Online Support
>
> .
>


Zhi-Qiang Ni[MSFT] 04-20-2010 06:06 AM

RE: view keystore names
 
Hi Chuck,

The DPAPI machine key is the machine key, it is Windows Data Protection API
(DPAPI).
The DataProtectionConfigurationProvider uses the Windows Data Protection
API (DPAPI) underneath the covers. This provider a machine-specific secret
key for encryption and decryption work. Because the
DataProtectionConfigurationProvider relies on a machine-specific key.
So the system will use DPAPI to encypt it although you do't notice it, it
is default.

So it store in %windir%\system32\Microsoft\Protect\S-1-5-18.
The ASP.NET generates a random key and stores it in the Local Security
Authority (LSA).
I do't find a way to view the LSA.
Please check the following link:
http://msdn.microsoft.com/en-us/libr...ht000005_step2

--
Best Regards,
Zhi-Qiang Ni
Microsoft Online Support


Chuck 04-20-2010 01:54 PM

RE: view keystore names
 
I use the default which is now RSA if you want to use the DPAPI you must
specify it.
I use RSA.
Please see:
http://msdn.microsoft.com/en-us/libr...SDN.10%29.aspx




"Zhi-Qiang Ni[MSFT]" wrote:

> Hi Chuck,
>
> The DPAPI machine key is the machine key, it is Windows Data Protection API
> (DPAPI).
> The DataProtectionConfigurationProvider uses the Windows Data Protection
> API (DPAPI) underneath the covers. This provider a machine-specific secret
> key for encryption and decryption work. Because the
> DataProtectionConfigurationProvider relies on a machine-specific key.
> So the system will use DPAPI to encypt it although you do't notice it, it
> is default.
>
> So it store in %windir%\system32\Microsoft\Protect\S-1-5-18.
> The ASP.NET generates a random key and stores it in the Local Security
> Authority (LSA).
> I do't find a way to view the LSA.
> Please check the following link:
> http://msdn.microsoft.com/en-us/libr...ht000005_step2
>
> --
> Best Regards,
> Zhi-Qiang Ni
> Microsoft Online Support
>
> .
>



All times are GMT. The time now is 12:11 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.