Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


olspookishmagus

Creating a private key on WinXP to sign a PowerShell Script with makecert is no longer possible?

Recommended Posts

Hello.

I'm struggling to create a private key in order then to use to sign a PowerShell Script and I would really use some help on this.

Firstly I wanted to be able to run PowerShell scripts without having to lower PowerShell's Execution-Policy and in order to do that one should have to be able to sign scripts.

Therefore and after installing the Windows SDK I'm trying to create a private key (and then a certificate) in order to be able to sign scripts.

But this fails likewise:

C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin>makecert -n "CN=PowerShell Local Certificate Root" -a sha1 -eku 1.3.6.1.5.5.7.3.3 -r -sv root.pvk root.cer -ss Root -sr localMachine
Error: Can't create the key of the subject ('root.pvk') Failed

And so I've begun trying to debug this, with no success.

So far I've checked with these:

  • I checked with makecert's documentation to check whether the command parameters are correct
  • executed the command from within a non-special directory
  • executed the command as the local Administrator user
  • executed the command from an "elevated" Command Prompt or an "elevated" PowerShell
  • made sure the security permissions for _ALL_ the Crypto/RSA directories are set as indicated

If you have any ideas or you would like to share your insights or have me walk again over again something I've already tried/mentioned please feel free to comment.

Thanks in advance.

 

Share this post


Link to post
Share on other sites

Welcome to the forum! :) FWIW, your exact command works fine on my XP SP3 with POSReady updates.

I don't actually have the SDK properly installed, only the tools manually extracted from the installer into a C:\Program Files subfolder. My makecert.exe version is 6.1.7600.16385. I'm logged in as a member of the local Administrators group, so I just ran this in my regular command prompt. I got prompted to create a private key password (at which point root.pvk had been created but was empty; the file got filled in after completing the dialog), then to enter said password (after which root.cer was created). When I disabled my Write permission for the folder, I got two error messages: "Error: Unable to create file for the subject ('root.pvk')" plus the one you saw.

Might want to try tracing the execution with Sysinternals Process Monitor (procmon) to narrow down which registry keys and/or files makecert seems to have a problem with. Judging from my output when I ran the command without the " -ss Root -sr localMachine" part (since with the error you're seeing you'd never get to updating the cert store). the only file writes (except for the .pvk and .cer, and directory updates) seemed to be two files that were created and later deleted under ?:\Documents and Settings\username\Application Data\Microsoft\Crypto\RSA\S-*, and you say you've already checked the permissions there. There also seemed to be no registry writes in this case.

Edited by mixit

Share this post


Link to post
Share on other sites
2 hours ago, mixit said:

Welcome to the forum! :)
...

Thanks for your reply and the welcome (I hope MSFN WILL be around for ever).

 

2 hours ago, mixit said:

...
FWIW, your exact command works fine on my XP SP3 with POSReady updates.
...
 

What are the "POSReady updates"?

 

2 hours ago, mixit said:

...
My makecert.exe version is 6.1.7600.16385.
...

Mine is version: 5.131.3790.0 with sha1sum: 53bbd8b86fcbee9316e02af399634522b12539b0.

 

2 hours ago, mixit said:

...
I'm logged in as a member of the local Administrators group, so I just ran this in my regular command prompt. I got prompted to create a private key password (at which point root.pvk had been created but was empty; the file got filled in after completing the dialog), then to enter said password (after which root.cer was created). When I disabled my Write permission for the folder, I got two error messages: "Error: Unable to create file for the subject ('root.pvk')" plus the one you saw.
...

This is what I've been investigating on lately. I'm logged in as an Active Directory user who is also a member of the local Administrators group. There's also a local user with the same "name" but these two "accounts" have different S-ID(s). Still, no combination of currently active user can generate a key/certificate (I've been trying with runas). However I can freely create and delete files within CryptoAPI related directories. However, I'm noticing some small difference and inconsistencies though.

 

2 hours ago, mixit said:

...
Might want to try tracing the execution with Sysinternals Process Monitor (procmon) to narrow down which registry keys and/or files makecert seems to have a problem with. Judging from my output when I ran the command without the " -ss Root -sr localMachine" part (since with the error you're seeing you'd never get to updating the cert store). the only file writes (except for the .pvk and .cer, and directory updates) seemed to be two files that were created and later deleted under ?:\Documents and Settings\username\Application Data\Microsoft\Crypto\RSA\S-*, and you say you've already checked the permissions there. There also seemed to be no registry writes in this case.

More info on this procedure, please.

 

Edited by olspookishmagus

Share this post


Link to post
Share on other sites

Ok, without being sure I did what i did right (duh ^^) I get this type of "error":

Operation : IRP_MJ_CREATE
Result    : NAME COLLISION
Path      : $Env:USERPROFILE\Application Data\Microsoft\Crypto\RSA\S-ID

I think I'm getting there.

 

Share this post


Link to post
Share on other sites
3 hours ago, olspookishmagus said:

What are the "POSReady updates"?

Windows Embedded POSReady 2009 is an XP flavor with a few added features that is still getting official updates from Microsoft until early 2019. These updates can very easily be used on regular XP, so far with no real compatibility issues (that I can recall, anyway). This very forum here happens to have some mighty good ongoing coverage on this subject. :lol:

3 hours ago, olspookishmagus said:

Mine is version: 5.131.3790.0

The Microsoft Windows SDK for Windows 7 and .NET Framework 4 that you linked to above contains the 6.1.7600.16385 I have (GRMSDK_EN_DVD.iso, \Setup\WinSDKTools\WinSDKTools_x86.msi). I didn't notice before that you're (apparently) using a version from Microsoft Visual Studio 8 SDK v2.0. Using the newer version might make a difference.

3 hours ago, olspookishmagus said:

More info on this procedure, please.

The current v3.40 from MS no longer works with XP, but you still can get v3.20 from archive.org. Set your filter to Include when Process Name "is" makecert.exe, run makecert, and go from there - the interface is pretty self-explanatory, assuming you have some idea about registry and file API calls. (It usually makes sense to turn capturing off as soon as you've run whatever you're interested in, leaving it on while you browse the log will just put needless load on the system.)

2 hours ago, olspookishmagus said:

Operation : IRP_MJ_CREATE
Result : NAME COLLISION
Path : $Env:USERPROFILE\Application Data\Microsoft\Crypto\RSA\S-ID

I don't know off the top of my head what those errors could be about and I'm sure you can google just as well as I could. :) Good luck!

Edited by mixit

Share this post


Link to post
Share on other sites
On 10/6/2017 at 6:20 PM, mixit said:

Windows Embedded POSReady 2009 is an XP flavor with a few added features that is still getting official updates from Microsoft until early 2019. These updates can very easily be used on regular XP, so far with no real compatibility issues (that I can recall, anyway). This very forum here happens to have some mighty good ongoing coverage on this subject. :lol:

...

Whoa! Thanks for the tip.

On 10/6/2017 at 6:20 PM, mixit said:

...

The Microsoft Windows SDK for Windows 7 and .NET Framework 4 that you linked to above contains the 6.1.7600.16385 I have (GRMSDK_EN_DVD.iso, \Setup\WinSDKTools\WinSDKTools_x86.msi). I didn't notice before that you're (apparently) using a version from Microsoft Visual Studio 8 SDK v2.0. Using the newer version might make a difference.

...

And I followed that advice and the outcome is at the bottom of this post.

On 10/6/2017 at 6:20 PM, mixit said:

...

The current v3.40 from MS no longer works with XP, but you still can get v3.20 from archive.org. Set your filter to Include when Process Name "is" makecert.exe, run makecert, and go from there - the interface is pretty self-explanatory, assuming you have some idea about registry and file API calls. (It usually makes sense to turn capturing off as soon as you've run whatever you're interested in, leaving it on while you browse the log will just put needless load on the system.)

...

I used v2.94 flawlessly but it's useful to know which is the last working version working with XP.
(I've always thought it would be useful to have a catalog of the last version of software that works with XP.)

On 10/6/2017 at 6:20 PM, mixit said:

...

I don't know off the top of my head what those errors could be about and I'm sure you can google just as well as I could. :) Good luck!

Nevermind the IRP_MJ_* messages, I've installed the latest SDK for Windows XP and after typing, re-typing and confirming (!) the private key password, now I get this:

Error: CryptSignAndEncodeCertificate(cbEncoded == 0) failed => 0x80090008 (-2146893816)
Failed

I'll now have to look on how to surpass that too.

 

Share this post


Link to post
Share on other sites
5 minutes ago, olspookishmagus said:

... I've installed the latest SDK for Windows XP and after typing, re-typing and confirming (!) the private key password, now I get this:


Error: CryptSignAndEncodeCertificate(cbEncoded == 0) failed => 0x80090008 (-2146893816)
Failed

I'll now have to look on how to surpass that too.

Changing the algorithm to sha-1 (-a sha1) brought me to success!
Thanks a ton mixit, thanks a ton MSFN!

 

  • Like 1

Share this post


Link to post
Share on other sites
3 hours ago, olspookishmagus said:

Changing the algorithm to sha-1 (-a sha1) brought me to success!
Thanks a ton mixit, thanks a ton MSFN!

I thought you were using -a sha1 to begin with? In any case, I'm glad it worked out in the end. :)

BTW, it turns out that if you want to use -a sha256|sha384|sha512 on XP, you can do so by adding -sp "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" -sy 24 (24 is PROV_RSA_AES type), and of course you can use -len 2048|4096 for longer keys. The CSP makecert defaults to doesn't have SHA-2, hence the NTE_BAD_ALGID (0x80090008) errors.

3 hours ago, olspookishmagus said:

(I've always thought it would be useful to have a catalog of the last version of software that works with XP.)

http://www.msfn.org/board/topic/176299-latest-version-of-software-running-on-xp/ has a bunch, even if the list is spread all over the topic. (In fact, had occurred to me to look there first, I wouldn't have had to hunt down procmon on my own.)

Edited by mixit
  • Like 1

Share this post


Link to post
Share on other sites
On 10/9/2017 at 8:40 PM, mixit said:

I thought you were using -a sha1 to begin with? In any case, I'm glad it worked out in the end. :)

...

I did! But then I saw the newer options of the makecert.exe version: 6.1.7600.16385 (win7_rtm.090713-1255) and I got greedy! :D

On 10/9/2017 at 8:40 PM, mixit said:

...

BTW, it turns out that if you want to use -a sha256|sha384|sha512 on XP, you can do so by adding -sp "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" -sy 24 (24 is PROV_RSA_AES type), and of course you can use -len 2048|4096 for longer keys. The CSP makecert defaults to doesn't have SHA-2, hence the NTE_BAD_ALGID (0x80090008) errors.

...

Once again you let me astonished. Thanks!

On 10/9/2017 at 8:40 PM, mixit said:

...

http://www.msfn.org/board/topic/176299-latest-version-of-software-running-on-xp/ has a bunch, even if the list is spread all over the topic. (In fact, had occurred to me to look there first, I wouldn't have had to hunt down procmon on my own.)

Ok, did say "astonished"? Let me upgrade that to "flabbergasted"!
Can I buy you a beer somehow?

 

Edited by olspookishmagus

Share this post


Link to post
Share on other sites

@olspookishmagus
No reward is necessary :), but it might be useful to change the topic title into something more generally descriptive, since most of what we've discussed here isn't really about Powershell scripts.

Share this post


Link to post
Share on other sites
On 10/19/2017 at 4:33 PM, mixit said:

@olspookishmagus
...
it might be useful to change the topic title into something more generally descriptive, since most of what we've discussed here isn't really about Powershell scripts.

Well my initial post was that I couldn't have makecert working in WinXP which you guided me in resolving this.


Now I've reached another burden about which I posted here.

If there a way to mark this as resolved I would just do that but if you insist on having the topic title changed too, feel free to PM me your suggested topic title.

 

Share this post


Link to post
Share on other sites

I think you can just put [Solved] in front of the title to mark it as such (right, @dencorso?).

I'm far from "insisting" on changing the title :), I just thought what eventually got covered here was a bit more general than what the initial title would suggest and something like "makecert.exe tool quirks on Windows XP" might get more future readers to check it out.  It was just a thought;  and I'm definitely not suggesting that you were wrong to initially give the title maximum specificity when asking the question.

Share this post


Link to post
Share on other sites

I felt like starting a new topic/thread on this but anyway, as I'm awaiting @dencorso's response I'd dare to ask for further advice/help and not risking messing up with the forum structure.

It seems I'm stuck trying to create an exportable "client" certificate with sha512. With sha1 or md5 it will be created and imported successfully. Otherwise it fails with:

Error: CryptSignAndEncodeCertificate(cbEncoded == 0) failed => 0x80090008 (-2146893816)
Failed

The command that fails is:

makecert -pe -n "CN=PowerShell Local User" -ss My -sr CurrentUser -a sha512 -len 2048 -m 13 -sy 24 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" -eku 1.3.6.1.5.5.7.3.3 -iv PowerShell_Local_Certificate_Authority.pvk -ic PowerShell_Local_Certificate_Authority.cer

While the command that will succeed is:

makecert.exe -pe -n "CN=PowerShell Local User" -ss My -sr CurrentUser -a sha1 -len 4096 -m 13 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" -sy 24 -eku 1.3.6.1.5.5.7.3.3 -iv PowerShell_Local_Certificate_Authority.pvk -ic PowerShell_Local_Certificate_Authority.cer

Also clarifying that both the referenced .pvk and .cer files were successfully previously generated with:

makecert.exe -r -ss Root -sr localMachine -eku 1.3.6.1.5.5.7.3.3 -sy 24 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" -a sha512 -len 4096 -m 13 -n "CN=PowerShell Local Certificate Authority" -sv PowerShell_Local_Certificate_Authority.pvk PowerShell_Local_Certificate_Authority.cer

Last and not least thanks you so much for your help, @mixit!

 

Share this post


Link to post
Share on other sites

Both commands work fine for me (with cmd), so right now I don't really have a clue why it should give you NTE_BAD_ALGID again (assuming you're running all three commands in the same environment).

Edited by mixit

Share this post


Link to post
Share on other sites

Let's change the thread title to "makecert.exe tool quirks on Windows XP" or something like it (I leave the exact choice to the OP), and then keep it going, at least until all the OP's related issues get solved (or at least explained and given workarounds), OK?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×