-->
The CryptAcquireCertificatePrivateKey function obtains the private key for a certificate. This function is used to obtain access to a user's private key when the user's certificate is available, but the handle of the user's key container is not available. This function can only be used by the owner of a private key and not by any other user.
The original certificate may be repairable (from the server that initially requested the Certificate). For more information about how to repair a certificate, see How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate. The problem is with the certificate. When a certificate is first imported or created, the private key must be marked as exportable in order for you to be able to export the private key. The error message you have received indicates that the private key is not exportable on the certificate you are trying to use.
If a CSP handle and the key container containing a user's private key are available, theCryptGetUserKey function should be used instead.
Syntax
Parameters
Error Ssl Context Is Not Usable Without Certificate And Private Key Bank
pCert
The address of aCERT_CONTEXT structure that contains the certificate context for which a private key will be obtained.
dwFlags
A set of flags that modify the behavior of this function. This can be zero or a combination of one or more of the following values.
Value | Meaning |
---|---|
| If a handle is already acquired and cached, that same handle is returned. Otherwise, a new handle is acquired and cached by using the certificate's CERT_KEY_CONTEXT_PROP_ID property. When this flag is set, the pfCallerFreeProvOrNCryptKey parameter receives FALSE and the calling application must not release the handle. The handle is freed when the certificate context is freed; however, you must retain the certificate context referenced by the pCert parameter as long as the key is in use, otherwise operations that rely on the key will fail. |
| The public key in the certificate is compared with the public key returned by the cryptographic service provider (CSP). If the keys do not match, the acquisition operation fails and the last error code is set to NTE_BAD_PUBLIC_KEY. If a cached handle is returned, no comparison is made. |
| This function will not attempt to re-create the CERT_KEY_PROV_INFO_PROP_ID property in the certificate context if this property cannot be retrieved. |
| The CSP should not display any user interface (UI) for this context. If the CSP must display UI to operate, the call fails and the NTE_SILENT_CONTEXT error code is set as the last error. |
| Uses the certificate's CERT_KEY_PROV_INFO_PROP_ID property to determine whether caching should be accomplished. For more information about the CERT_KEY_PROV_INFO_PROP_ID property, see CertSetCertificateContextProperty. This function will only use caching if during a previous call, the dwFlags member of theCRYPT_KEY_PROV_INFO structure contained CERT_SET_KEY_CONTEXT_PROP. |
| Any UI that is needed by the CSP or KSP will be a child of the HWND that is supplied in the pvParameters parameter. For a CSP key, using this flag will cause the CryptSetProvParam function with the flag PP_CLIENT_HWND using this HWND to be called with NULL for HCRYPTPROV. For a KSP key, using this flag will cause the NCryptSetProperty function with the NCRYPT_WINDOW_HANDLE_PROPERTY flag to be called using the HWND. Do not use this flag with CRYPT_ACQUIRE_SILENT_FLAG. |
The following flags determine which technology is used to obtain the key. If none of these flags is present, this function will only attempt to obtain the key by using CryptoAPI.
Windows Server 2003 and Windows XP: These flags are not supported.
Value | Meaning |
---|---|
| This function will attempt to obtain the key by using CryptoAPI. If that fails, this function will attempt to obtain the key by using the Cryptography API: Next Generation (CNG). The pdwKeySpec variable receives the CERT_NCRYPT_KEY_SPEC flag if CNG is used to obtain the key. |
| This function will only attempt to obtain the key by using CNG and will not use CryptoAPI to obtain the key. The pdwKeySpec variable receives the CERT_NCRYPT_KEY_SPEC flag if CNG is used to obtain the key. |
| This function will attempt to obtain the key by using CNG. If that fails, this function will attempt to obtain the key by using CryptoAPI. The pdwKeySpec variable receives the CERT_NCRYPT_KEY_SPEC flag if CNG is used to obtain the key. Note CryptoAPI does not support the CNG Diffie-Hellman or DSA asymmetric algorithms. CryptoAPI only supports Diffie-Hellman and DSA public keys through the legacy CSPs. If this flag is set for a certificate that contains a Diffie-Hellman or DSA public key, this function will implicitly change this flag to CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG to first attempt to use CryptoAPI to obtain the key. |
pvParameters
If the CRYPT_ACQUIRE_WINDOWS_HANDLE_FLAG is set, then this is the address of an HWND. If the CRYPT_ACQUIRE_WINDOWS_HANDLE_FLAG is not set, then this parameter must be NULL.
Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003 and Windows XP: This parameter was named pvReserved and reserved for future use and must be NULL.
phCryptProvOrNCryptKey
The address of an HCRYPTPROV_OR_NCRYPT_KEY_HANDLE variable that receives the handle of either the CryptoAPI provider or the CNG key. If the pdwKeySpec variable receives the CERT_NCRYPT_KEY_SPEC flag, this is a CNG key handle of type NCRYPT_KEY_HANDLE; otherwise, this is a CryptoAPI provider handle of type HCRYPTPROV.
For more information about when and how to release this handle, see the description of the pfCallerFreeProvOrNCryptKey parameter.
pdwKeySpec
The address of a DWORD variable that receives additional information about the key. This can be one of the following values.
Value | Meaning |
---|---|
| The key pair is a key exchange pair. |
| The key pair is a signature pair. |
| The key is a CNG key. Windows Server 2003 and Windows XP: This value is not supported. |
pfCallerFreeProvOrNCryptKey
The address of a BOOL variable that receives a value that indicates whether the caller must free the handle returned in the phCryptProvOrNCryptKey variable. This receives FALSE if any of the following is true:
- Public key acquisition or comparison fails.
- The dwFlags parameter contains the CRYPT_ACQUIRE_CACHE_FLAG flag.
- The dwFlags parameter contains the CRYPT_ACQUIRE_USE_PROV_INFO_FLAG flag, the certificate context property is set to CERT_KEY_PROV_INFO_PROP_ID with the CRYPT_KEY_PROV_INFO structure, and the dwFlags member of the CRYPT_KEY_PROV_INFO structure is set to CERT_SET_KEY_CONTEXT_PROP_ID.
If this variable receives TRUE, the caller is responsible for releasing the handle returned in the phCryptProvOrNCryptKey variable. If the pdwKeySpec variable receives the CERT_NCRYPT_KEY_SPEC value, the handle must be released by passing it to the NCryptFreeObject function; otherwise, the handle is released by passing it to the CryptReleaseContext function.
Return value
If the function succeeds, the return value is nonzero (TRUE).
If the function fails, the return value is zero (FALSE). For extended error information, callGetLastError. One possible error code is the following.
Return code | Description |
---|---|
| The public key in the certificate does not match the public key returned by the CSP. This error code is returned if the CRYPT_ACQUIRE_COMPARE_KEY_FLAG is set and the public key in the certificate does not match the public key returned by the cryptographic provider. |
| The dwFlags parameter contained the CRYPT_ACQUIRE_SILENT_FLAG flag and the CSP could not continue an operation without displaying a user interface. |
Remarks
When CRYPT_ACQUIRE_WINDOWS_HANDLE_FLAG is set, the caller must ensure the HWND is valid. If the HWND is no longer valid, for CSP the caller should call CryptSetProvParam using flag PP_CLIENT_HWND with NULL for the HWND and NULL for the HCRYPTPROV. For KSP, the caller should set the NCRYPT_WINDOW_HANDLE_PROPERTY of the ncrypt key to be NULL. When CRYPT_ACQUIRE_WINDOWS_HANDLE_FLAG flag is set for KSP, the NCRYPT_WINDOW_HANDLE_PROPERTY is set on the storage provider and the key. If both calls fail, then the function fails. If only one fails, the function succeeds. Note that setting HWND to NULL effectively removes HWND from the HCRYPTPROV or ncrypt key.
Examples
For an example that uses this function, see Example C Program: Sending and Receiving a Signed and Encrypted Message.
Requirements
Minimum supported client | Windows XP [desktop apps | UWP apps] |
Minimum supported server | Windows Server 2003 [desktop apps | UWP apps] |
Target Platform | Windows |
Header | wincrypt.h |
Library | Crypt32.lib |
DLL | Crypt32.dll |
See also
YouTube Video (Better Quality)
I was approached with a case where the customer was trying to create a Data Source within the Power BI Admin Center and received the following error when trying to test the connection and having Encrypt Connection selected.
Failed to test connection. [DBNETLIB][ConnectionOpen(SECDoClientHandshake()).]SSL Security error.
When we get an SSL error, we are talking about Certificates and trying to encrypt traffic between the client and the Data Source. The client in this case will be the Data Management Gateway.
While we are using Power BI, this is a great example of just a regular connectivity issue. This is not a Power BI specific issue. We would get a failure in a different application as well, such as Management Studio.
They were using the Microsoft OLE DB Provider for SQL Server as the provider. This is a really old provide and we should move to the .NET Provider or SQL Server Native Client if possible. Although depending on how you pulled information into Excel, that may be the provider listed and we need to match that as I’ve described in other blogs.
One of the reasons I recommend moving off of it is due to the error message itself. The OLE DB Provider error is fairly generic and not overly helpful. With the .NET Provider and SQL Server Native Client, the messaging has been updated and can give you more details. Here is what the error is from the SQL Server Native Client.
SSL Provider: The certificate chain was issued by an authority that is not trusted.
This is due to the certificate that SQL Server is presenting. Based on the information in the certificate, and the certificate is invalid. This can happen for multiple reasons. In this case the error indicates that it was because we don’t trust the certificate, which is a fairly specific error versus the generic error from the OLE DB Provider.
How to correct it
To correct this, we have to deal with certificates. In our case, the certificate used by the SQL Server is not within the Trusted Root Certification Authorities store of the machine running the Data Management Gateway.
To review the Trusted Root store, we can use MMC to do this. Open MMC and add the Certificates Snap In.
When you add that, you’ll presented with a dialog about how you want to manage certificates. In what context? You have three options: My user account, Service account and Computer account.
I always use the Computer account context. This will cover everything on the machine. If you use My user account, it will be for your specific user. So, Management Studio would start working, but the Data Management Gateway would still fail as that doesn’t run under your user account. There are reasons why you would want to do either a service account or your user, but you need to know what you are doing and what your scenario is to understand how things will be affected. For the purposes of this walk through, I’m going with Computer account.
After we add the Snap In within MMC, we will see several folders. There are two we want to focus on. Personal and Trusted Root Certification Authorities.
The Personal store is where the certificates reside that you can actually use. The Trusted Root store are the items that we trust that could be part of the certificate chain.
For our purposes, and to correct the issue, we are interested in the Trust Root store. When we select the Certificates folder under the Trusted Root, these are all of the Certification Authorities (CA) that we trust. So, if any certificate originates from any of these, they will be trusted by the system. VeriSign is an example of one that is in this folder. So, any certificate that comes from VeriSign, we will trust because it is a known organization.
What is missing here is the item that will cause us to trust the certificate that is being presented by SQL Server. There are different ways to create a certificate. You can generate a self signed certificate. You can get a certificate from a known CA such as VeriSign. Or your organization may have their own Certification Authority. In my case, I did a self signed certificate. There are also different ways to do that. You can create it through IIS, but in my case I used makecert to generate it. This can be found in the Windows SDK.
Here is the makecert command I used to generate the server certificate.
makecert -r -pe -n 'CN=guyinacubesql.guyinacube.com' -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp 'Microsoft RSA SChannel Cryptographic Provider' -sy 12
There are a couple of things that are required here. The eku parameter I used indicates it is a Server Certificate. Also, the sky parameter indicates exchange. These are both required. This was run on the SQL Server.
I created the certificate and then exported it to a PFX file. PFX includes the private key. We really only need the public cert which could just be a CER file. I always include Extended Properties on the export.
I then go to the machine running the Data Management Gateway, and within the MMC/Certificates window, we can right click on the Certificates folder under the Trusted Root store, right click, go to All Tasks and select Import. We can enter the password for the PFX package and Include all extended properties.
We then want to place the certificate within the Trusted Root Certification Authorities store.
Once all of that is done, we should see our certificate listed within the Trust Root store.
The key symbol on the Cert icon indicates that it has the Private key. You will notice that the others don’t have the private key, and that’s fine. So, now if we go back and test the connection on the Data Source, it will connect successfully because we trust the CA.
If we change the provider over to SQL Server Native Client 11, we will actually get another error.
Sims 4 Occult Mod: The Demonic Powers Mod. Sims 4 occult mod is a tuning mod that gives you three different and unofficial life states, which are Succubus, Incubus, and Cambion. Succubus is a demon present in female Sims who tends to be immortal. They need to gain energy from other Sims by using lechery (lust) and seduction. Feb 21, 2020 Best Sims 4 Life State Mods. Here is a mythical beast that EA has yet to add to any of its Sims games. This mod adds ogres for the first time with tons of new functionality. Sims 4 occult life state mod. Jul 01, 2017 Any other mod that affects that file wont be compatible with this mod sorry. Updates: v0.3 Small update thanks to DarDev I have included his multi stbl into the mod. It should help with missing text issues thanks again DarDev. V0.2 Added Incubus life state for male sims Added Cambion life state for offsprings of Succubus and Incubus.
SSL Provider: The target principal name is incorrect.
SQL Server Native Client is a little more strict in its certificate validation. We used the NetBIOS name for the server name. However the name in the Certificate is the Fully Qualified Domain Name (FQDN). So, they don’t match. If we change the server name to the FQDN, it will then work correctly.
Operating System: Windows 98/XP/Vista/7/8/10; Licensing terms and policy. All full version games provided at this web-site were licensed, sublicensed for distribution by other game developers, game publishers or developed by internal game studio and provided free legally. If you have questions about this game, please contact us using this form. Jul 20, 2017 Free Download Bomberman PC Games For Windows. Free Download Bomberman For Windows Full Version and start playing now and rember it’s Family Games For PC Windows,it’s the best PC Games Free Download for kids, girls and boys!We hope you have good time with our free pc games in your life and come back to try Fill and Cross: Trick or Treat pc games for windows too. Dec 29, 2018 Download Bomberman Game For PC is a strategic, maze-based video game. This game is developed by Hudson Soft. Bomberman Game Download, the episode was released for Windows System, PlayStation, Xbox, and all other well have known operating systems which is common these days all world. Sep 20, 2017 Free Download Highly Compressed Match 3 Games For Windows 7/8/8.1/10/XP Full Version.The Best Hidden Objects Games For Windows,Find Best Puzzle Games For PC Windows.Download Free Action And Arcade Games For PC Windows.Building Games Farming Games Free Download For PC Windows.All Free Games For PC/Laptops. Bomberman game for pc free full version windows 7.
We care about the Certificate Path
The reason this failed is because we didn’t trust the root CA. This comes down to the Certification Path. When you open a certificate, there will be a Certification Path tab. For a self signed certificate, you will only have that certificate listed.
You may have multiple items listed. If there is a red X on any item here, then the certificate will not be trusted. Here is an example of one that isn’t trusted.
That’s when we need to add that to the Trusted Root store, like we just did, to get it to be trusted.
Domain Certificate
I mentioned that you could have a Certification Authority within your organization (such as your Domain). I can create a Domain Certificate multiple ways, but the easiest way for me is to just do it on a machine that has IIS installed. When you go to the server, and look at Server Certificates, an option on the left says Create Domain Certificate.
Error Ssl Context Is Not Usable Without Certificate And Private Key West
When you create that certificate, you will see the CA Certificate as a root within the Certification Path tab.
From the domain perspective, every machine joined to the domain will have that CA Certificate in the Trusted Root store, so no action is needed. It would just work.
Error Ssl Context Is Not Usable Without Certificate And Private Keys
Adam W. Saxton | Microsoft Business Intelligence Support – Escalation Services@GuyInACube | Mixes | YouTube | Facebook.comguyinacube