This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Certificate Error

Go to answer
Lisa_Jacobson
Confirmed Champ
Confirmed Champ

‎08-08-2022 08:01 AM

Hi All,

 

I'm receiving the following error when I have my thumbprint in both the signing and encryption certificate path values in the idpconfig file. Does anything look incorrect in my setup?

 

System.ArgumentException: Provided certificate is not valid for encryption/decryption. There may be insufficient permissions to its private key in the windows certificate store or the certificate itself may not have the correct purposes. If you only want to use it for signing, set the Use property to Signing (CertificateUse.Signing).
at Sustainsys.Saml2.Configuration.ServiceCertificateCollection.InsertItem(Int32 index, ServiceCertificate item)
at Hyland.Identity.Server.Extensions.AspNetCore.Authentication.ExternalAuthenticationProviderExtensions.<>c__DisplayClass1_0.<ConfigureSaml2>b__0(Saml2Options binderOptions) in C:\j\workspace\2.4.1\src\Hyland.Identity.Server\Extensions\AuthenticationBuilder\ExternalAuthenticationProviderExtensions.cs:line 175
at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)

 

c12060716f9a4de6a8204ea25ef19829

70e86f5bb0ae4fe0a2b02eff0b718b22

 

 

0 Kudos
1 ACCEPTED ANSWER

Go to answer
AdamShaneHyland
Employee
Employee

‎08-08-2022 05:40 PM

Hi @Lisa Jacobson ,

 

Based on the certificate having the correct Usage Properties, this is likely referring to the permissions of the Private Key referenced by the thumbprint which exists in your Personal Certificate Store.  The Private Key needs to be granted READ permissions by the account running your Hyland IDP Application Pool.

 

You can verify by doing the following ...

  • Start | Run | mmc
  • File | Add/Remove Snap-In ...
  • Find the Certificates add in and click Add >
  • Select the Computer account radio button and click Finish
  • Navigate to the certificates private key under Console Root | Certificate (Local Computer) | Personal | Certificates
  • Right click on the certificate | All Tasks | Manage Private Keys...
  • Add the Hyland IDP Application Pool Identity account
  • Grant the account READ permissions by selecting the checkbox under Allow

Best wishes.

View answer in original post

0 Kudos
4 REPLIES 4

Go to answer
AdamShaneHyland
Employee
Employee

‎08-08-2022 05:40 PM

Hi @Lisa Jacobson ,

 

Based on the certificate having the correct Usage Properties, this is likely referring to the permissions of the Private Key referenced by the thumbprint which exists in your Personal Certificate Store.  The Private Key needs to be granted READ permissions by the account running your Hyland IDP Application Pool.

 

You can verify by doing the following ...

  • Start | Run | mmc
  • File | Add/Remove Snap-In ...
  • Find the Certificates add in and click Add >
  • Select the Computer account radio button and click Finish
  • Navigate to the certificates private key under Console Root | Certificate (Local Computer) | Personal | Certificates
  • Right click on the certificate | All Tasks | Manage Private Keys...
  • Add the Hyland IDP Application Pool Identity account
  • Grant the account READ permissions by selecting the checkbox under Allow

Best wishes.

0 Kudos

Go to answer
Kelly_Gossett
Confirmed Champ
Confirmed Champ

‎07-14-2023 02:28 PM

To add some information to this, we're having the same issue with a cert similar to the one described above (same key usages, attempting to use for both signing and encryption). We have verified the permissions as laid out by Adam above and everything looks right.

 

I just wanted to add that we don't get this error when we add our cert only to the Signing Certificate section of the Hyland IDP admin tool. It saves fine for the signing cert. The issue appears when we add the thumbprint of the cert to the Decryption Certificate field and click Save. We then get an error stating the Provider could not be updated in the admin tool, and the exception noted below is found in the Diagnostics console logs. 

 

System.ArgumentException: Provided certificate is not valid for encryption/decryption. There may be insufficient permissions to its private key in the windows certificate store or the certificate itself may not have the correct purposes.

0 Kudos

Go to answer
AdamShaneHyland
Employee
Employee
In response to Kelly_Gossett

‎07-18-2023 06:58 AM

Hi @Kelly Gossett ,

 

The Signing Certificate and Decryption Certificates both require RSA keys set with the Digital Signature Key Usage property.  The private key of the certificate MUST be placed in the LocalMachine\My (Personal) certificate store on the machine and MUST be accessible (e.g. READ permission) for the account running the Application Pool for the Hyland Identity Provider web application.

 

If this does not work to resolve your issue, please reach out to your first line of support for further troubleshooting.

 

Best wishes.

0 Kudos

Go to answer
Kelly_Gossett
Confirmed Champ
Confirmed Champ
In response to AdamShaneHyland

‎07-21-2023 01:33 PM

Thanks, Shane. We already had all of that in place. Our FLOS was unable to help us but we independently found the source of the problem.

 

When generating the CSR the "Key Type" was defaulting to "Signature" which is invalid if using it for both signing and encryption. We generated a new cert with a Key Type of "Exchange", which we discovered makes it valid for both signing and encryption, and this solved our problem.

 

I am posting this in the hope that it will help anyone else struggling with this to bring this to a resolution since this information is not a part of the Hyland documentation.

 

Thanks!

-Kelly

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC