Qlik Community

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
June 28, 10AM ET: Qlik Nation and Qlik Community present: CyberSleuth REGISTER TODAY

SHA-256 and Converting the Cryptographic Service Provider Type

cancel
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

SHA-256 and Converting the Cryptographic Service Provider Type

SHA-256, SHA-384 and SHA-512 XML signatures require the Microsoft Enhanced RSA and AES Cryptographic Provider. This provider's type is 24.

More details about cryptographic service providers (CSPs) and their capabilities may be found at:
https://msdn.microsoft.com/en-us/library/windows/desktop/bb931357(v=vs.85).aspx
 

How to verify:

This can be checked using Microsoft's CertUtil command. The following command outputs information about the private key and certificate including the CSP.

c:\>certutil -dump c:\temp\idp.pfx
Enter PFX password:
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 09ec562aa92ffa0ed554f5135afa3ccb
Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
 NotBefore: 2/7/2013 2:00 AM
 NotAfter: 4/4/2016 2:00 PM
Subject: CN=*.qlik.com, O=QlikTech International AB, L=Lund, S=Skane, C=SE
Non-root Certificate
Cert Hash(sha1): d7 fe a0 8d c7 f5 e5 e4 ff e9 14 91 00 d9 95 5f 61 51 00 68
----------------  End Nesting Level 1  ----------------
  Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
CertUtil: -dump command completed successfully.

The "Microsoft RSA SChannel Cryptographic Provider" is suitable for SHA-1 XML signatures but doesn't support SHA-256 XML signatures.

The PFX can be recreated specifying the required CSP.

Before conversion: 

- NB. The conversion does not modify the public or private key values or any other information apart from the CSP to use.
- NB. It's safe to perform this conversion on self-signed as well as certificate authority issued certificate files.
- One method to perform this conversion is to use OpenSSL. Windows binaries are available for download. Refer to the OpenSSL Wiki.


Start conversion:

1. Firstly, it must be converted from PKCS12 to PEM format. From the example below, you will see how to convert a single .pfx file containing both certificate and private key into a .pem format. When it was asked, be ready to provide the password used for protecting the private key.

c:\>openssl pkcs12 -in c:\temp\idp.pfx -out c:\temp\idp.pem
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:


2. Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.

c:\>openssl pkcs12 -export -in c:\temp\idp.pem -out c:\temp\new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter pass phrase for c:\temp\idp.pem:
Enter Export Password:
Verifying - Enter Export Password:


3. Now you can verify the CSP in the new PFX file with the CertUtil command again.

c:\>certutil -dump c:\temp\new-idp.pfx
Enter PFX password:
================ Certificate 0 ================
================ Begin Nesting Level 1 ================
Element 0:
Serial Number: 09ec562aa92ffa0ed554f5135afa3ccb
Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US
 NotBefore: 2/7/2013 2:00 AM
 NotAfter: 4/4/2016 2:00 PM
Subject: CN=*.qlik.com, O=QlikTech International AB, L=Lund, S=Skane, C=SE
Non-root Certificate
Cert Hash(sha1): d7 fe a0 8d c7 f5 e5 e4 ff e9 14 91 00 d9 95 5f 61 51 00 68
----------------  End Nesting Level 1  ----------------
  Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Encryption test passed
CertUtil: -dump command completed successfully.

The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512 XML signatures.

Conversion is Done!

OPTIONAL: If you have your certificate and private key stored in the .pem format already but separate files, the following command will help you to combine them and generate the .pfx file with the correct CSP.

openssl pkcs12 -export -inkey key.pem -in cert.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -macalg sha1


Reference link:
http://www.componentspace.com/Forums/1578/SHA256-and-Converting-the-Cryptographic-Provider-Type




 


 

Labels (1)
Version history
Last update:
‎2021-10-12 09:16 AM
Updated by: