Hello,
I'm running into an issue trying to generate a P12 certificate to install on a Windows machine using the PEM files auto-generated in the Visa developer dashboard. Here's an example of the command I'm running:
openssl pkcs12 -export -out visaserver.p12 -inkey CertificatePrivateKey.pem -in ServerCert.pem -name "VISA Server Certificate"
When I run the above command, I get back "No certificate matches private key".
My CertificatePrivateKey.pem is the private key generated when I use the developer portal to generate CSR files. ServerCert.pem is the Server Encryption Certificate that is available for download after generating the CSR files.
From what I understand, the ServerCert.pem is the file I need to encrypt a request for MLE.
Additionally, I can create a P12 using the Client Encryption Certificate:
openssl pkcs12 -export -out visaclient.p12 -inkey CertificatePrivateKey.pem -in ClientCert.pem -name "VISA Client Certificate"
And I can install this cert on a Windows machine. However, when I try to decrypt a message using this cert in C#, I get back an error: System.Security.Cryptography.CryptographicException : Key not valid for use in specified state.
Here's an example of the code I'm using...
...
var collection = my.Certificates.Find(X509FindType.FindByThumbprint, serverCertificateThumbprint, true);
X509Certificate2 clientCertificate = collection[0];
...
try
{
using (var provider = clientCertificate.PrivateKey)
{
return JWT.Decode(payload, provider, JweAlgorithm.RSA_OAEP_256, JweEncryption.A128GCM);
}
}
catch (Exception e)
{
...
}
In both cases, I can encrypt/decrypt in C# using the data in the PEM files if I hard-code that data in my C#. It's just not working when I try to create the P12 files.
Solved! Go to Solution
Hi @leighcrowder,
Are you trying to create the key stores for establishing Mutual SSL connectivity? Is yes, please review this guide which has detailed steps to create the key stores.
Once your Mutual SSL connectivity is established and you want to use Message Level Encryption (MLE), please reference this guide for the steps to configure MLE for your project and generate the private and public keys for encryption.
Here is a MLE tutorial you might find useful:
Please feel free to reach out with further questions.
Stacy,
No, I am not running into any issues with mutual SSL. This is for MLE. I have already generated the credentials on the developer portal. On the example you linked, I am working from the C# example and running into problems in step 3. Step 3 says:
To convert PEM certificate to a PKCS12 certificate, we will use Open SSL.
Execute the following OpenSSL command to create a PKCS12 (.p12) file:
openssl pkcs12 -export -inkey cert.pem -in cert.pem -out cert.p12
I am running that command. For -inkey I am using the .PEM file which is generated when I do auto generate CSR (filename was originally key_33fbafd9-9280-4e11-9dd4-1611660a04b7.pem), and as the -in parameter I am using server_cert_33fbafd9-9280-4e11-9dd4-1611660a04b7.pem for the Server Certificate (used for encryption).
Hi @leighcrowder,
Good to know that there's no issues on the Mutual SSL connection part.
On the MLE instructions, step 3, it sounds like you are passing in the correct parameters. For -inkey option, pass in the mle private key. For -in option, pass in the public server certificate.
Are you getting an error when you run the openssl command to generate the .p12 file? Or are you having issues decrypting the response?
I figured out part of my issue with the encryption - that is now working. I misunderstood the instructions and didn't realize I need ONLY the server .pem file for encryption.
However, for decryption I'm still running into the following issue.
I run this:
openssl pkcs12 -export -out visaclientsandbox.p12 -inkey CertificatePrivateKey.pem -in ClientCert.pem -name "VISA Sandbox Client Certificate"
this generates a cert that I can install. But when I attempt to use it for decryption in c#, I get the error:
"Key not valid for use in specified state."
I have included a code snippet in my original post.
Hi @leighcrowder,
For decryption, you only need the MLE private key (the one which is generated during CSR creation)
Decryption Process:
1. Get the encrypted response string from Visa
2. Parse the response using JWE Object
3. Set the MLE Private Key to the JWE Object
4. Decrypt the Payload using the private key