That's a new one on me. Certificates have proven to be no end of fun. I should have known this since they are part of the CryptoAPI and that API is one of the most cryptic around. Sorry, couldn't resist the pun. <grin/>
Anyway, something subtle is clearly different but I don't have any iea where to start looking. If you find a specific issue, it'd be great to file a bug against it. I'm going to start plowing through the certificate bugs soon. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Morris, John - Raleigh Sent: Monday, July 28, 2008 11:59 To: wix-users@lists.sourceforge.net Subject: [WiX-users] Failure using Wix installer certificates with WCF I have a wix project that uses the IIS extension to install a simple x509 certificate. Here is my wix snippet: <Binary Id="BIN_MyCertificate.pfx" SourceFile="$(var.Binaries)\MyCertificate.pfx" /> <DirectoryRef Id="INSTALLLOCATION"> <?define ComponentGuid = f128910b-318d-4b3f-96c3-f59610bbfce5 ?> <Component Id="CP_ MyCertificate.pfx" Guid="$(var.ComponentGuid)" KeyPath="yes"> <iis:Certificate Id="CERT_ MyCertificate.pfx" BinaryKey="BIN_ MyCertificate " Name="My Certificate" Overwrite="yes" PFXPassword="MyPassword" Request="no" StoreLocation="localMachine" StoreName="personal" /> </Component> </DirectoryRef> The certificate appears to install ok. I then use a custom action to execute the winhttpcertcfg utility to adjust the permissions this certificate. That appears to work too. However, when I try to run a WCF based service (in IIS), I get the error below, in the event log. If I try running an install without have Wix do the certificate installation (ie I manually install it), everything works ok. When Wix installs the certificate, I can see the entry in the MMC console, but WCF won't use it. Am I missing something here, or is there a known bug concerning this scenario? Thanks, John (Event log details below) WebHost failed to process a request. Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/18271112 Exception: System.ServiceModel.ServiceActivationException: The service '/SelectServer/Integration/v1/Registration.svc' cannot be activated due to an exception during compilation. The exception message is: The certificate 'CN=My Certificate' must have a private key that is capable of key exchange. The process must have access rights for the private key.. ---> System.ArgumentException: The certificate 'CN=My Certificate' must have a private key that is capable of key exchange. The process must have access rights for the private key. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameter s parameters) at System.Security.Cryptography.X509Certificates.X509Certificate2.get_Priva teKey() at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExch ange(X509Certificate2 certificate) --- End of inner exception stack trace --- at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExch ange(X509Certificate2 certificate) at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea teServerX509TokenProvider() at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea teLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequireme nt recipientRequirement) at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea teSecurityTokenProvider(SecurityTokenRequirement requirement) at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea teTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequi rement recipientRequirement) at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea teTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRe quirement recipientRequirement, Boolean requireClientCertificate, SecurityTokenResolver& sctResolver) at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.Crea teSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver) at System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.S essionRenewSecurityTokenManager.CreateSecurityTokenAuthenticator(Securit yTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver) at System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(Tim eSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(T imeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityProtocolFactory.Open(Boolean actAsInitiator, TimeSpan timeout) at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Ope n(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.O nOpen(TimeSpan timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(T imeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.CommunicationObjectSecurityTokenAuthenticat or.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityUtils.OpenTokenAuthenticatorIfRequi red(SecurityTokenAuthenticator tokenAuthenticator, TimeSpan timeout) at System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSp an timeout) at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(T imeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Ope n(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateSer vice(String normalizedVirtualPath) at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServi ceAvailable(String normalizedVirtualPath) --- End of inner exception stack trace --- at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServi ceAvailable(String normalizedVirtualPath) at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast (String relativeVirtualPath) Process Name: w3wp Process ID: 4000 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
