Private key certificate does not support digital signature when loaded via X509Certificate

Question

Recently i faced a need to exchange SOAP messages with a java web service where digitally signing messages is mandatory for communication. The proccess is, as expected, signing messages with a private key in order for the opposite site to validate it with a public one etc The only difference this time is that the opposite is the Authority itself.

I initially create a certificate request using the following command

openssl req -new -newkey rsa:1024 -keyout myprivatekey.pem  -out myrequest.pem 

The command above creates the private key and the request for my certificate. Afterwards, I send them ( via their site ) the certificate request "myrequest.pem" in order for them to authorize the certificate and create the final ( and valid ) one. When I receive my answer, ( lets say the authorized certificate "complete.pem" ), together with the previous generated myprivatekey.pem I create the .pfx private key which should be ready for immediate use.

openssl pkcs12 -export -out myprivatekey.pfx -in complete.pem -inkey myprivatekey.pem -name "testcertificate"

The above creates myprivatekey.pfx which I succesfully verify against the certificate. The problems begin when I try to sign my message via Studio 2005 and WSE 3.0 with the following code :

X509Certificate2 cert = new X509Certificate2(path,"pass");
X509SecurityToken certToken = new X509SecurityToken(cert);

The SupportsDigitalSignature property of certToken is set to false so I'm not able to sign my messages and thus cannot continue. Note that the same procedure with a self signed certificate and a private key I issued myself and loaded in X509SecurityToken seems to support digital signature ( property is true ).

I guess that something has to do with the final authorized certificate i get from them but I'm starting to suspect that I'm doing something wrong.

Any ideas what to check?

Answer 1

Install your certificate to Windows Certificate storage (double-click on PFX file in Explorer). Then go to Internet Settings dialog in Internet Explorer and find "Certificates" button on Contents tab. In the dialog that opens find the installed certificate and browse it's details. Check Key Usage field. It must include Digital Signature (or similar words).

Update: as I mentioned in the comment below, if it's the other party that generates the certificate, you can ask them if their software sets Key Usage extension properly when processing your request. Usually it's CA's job to set Key Usage, as they authorize you to use this certificate for certain purpose.

Answer 2

Possibly your certificate do not include Digital Signature as valid key usage. You can check it with following command:

openssl x509 -in complete.pem -purpose

Answer 3

When you use the -x509 switch to generate a self signed certificate, different default extensions are "requested". Check your config file for OpenSSL , notably the req_extensions and x509_extensions sections.