Avkash Chauhan's Blog

Windows Azure, Windows 8, Cloud Computing, Big Data and Hadoop: All together at one place.. One problem, One solution at One time...

Uploading Certificate to Windows Azure Management Portal using CSUPLOAD Error - "Key not valid for use in specified state"

Uploading Certificate to Windows Azure Management Portal using CSUPLOAD Error - "Key not valid for use in specified state"

Rate This
  • Comments 2

Recently I was working with someone on Windows Azure SDK 1.5 and VM Role deployment. While trying to upload certificate to Windows Azure Management Portal, the error occurred as below:

C:\Program Files\Windows Azure SDK\v1.5\bin>csupload add-servicecertificate -Connection "SubscriptionID=<Subscription_ID>;CertificateThumbprint=<MGMT_CERT_THUMBPRINT>" -HostedServiceName "testcodewp" -Thumbprint "b28daea93e520d85391987c6a6efb52be9278195"
Windows(R) Azure(TM) Upload Tool version 1.5.0.0
for Microsoft(R) .NET Framework 3.5
Copyright (c) Microsoft Corporation. All rights reserved.

arg[0]="add-servicecertificate"
arg[1]="-Connection"
arg[2]="******************"
arg[3]="-HostedServiceName"
arg[4]="testcodewp"
arg[5]="-Thumbprint"
arg[6]="b28daea93e520d85391987c6a6efb52be9278195"
Uploading service certificate to 'testcodewp'.
Error trying to access certficate. The most likely cause is the private
key is not exportable. Please reimport the certficate with the
private key marked exportable or use the -PublicKeyOnly option if you
do not wish to upload the private key.
Detail: Key not valid for use in specified state.

System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.

at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)
at System.Security.Cryptography.X509Certificates.X509Certificate.ExportHelper(X509ContentType contentType, Object password)
at Microsoft.WindowsAzure.ServiceManagementClient.CloudManagmentClient.<>c__DisplayClass49.<AddCertificate>b__48(IServiceManagement channel, String subId)
at Microsoft.WindowsAzure.ServiceManagementClient.CloudManagmentClient.<>c__DisplayClass4f.<DoAsyncOperation>b__4e(IServiceManagement x, String y)
at Microsoft.WindowsAzure.ServiceManagementClient.CloudManagmentClient.DoOperation[T](Func`3 f, String& trackingId)
at Microsoft.WindowsAzure.ServiceManagementClient.CloudManagmentClient.DoAsyncOperation(Action`2 act)
at Microsoft.WindowsAzure.Tools.CsUpload.ProgramCommands.<>c__DisplayClass2a.<AddServiceCertificateAction>b__25(CloudManagmentClient client)
at Microsoft.WindowsAzure.Tools.CsUpload.ProgramCommands.TryClientAction(CloudManagmentAccount account, Action`1 act)
at Microsoft.WindowsAzure.Tools.CsUpload.ProgramCommands.AddServiceCertificateAction(IList`1 args, IDictionary`2 switches)

Based on error message it was clear that the certificate I had does not support private key export. So just to test I used option –PublicKeyOnly as below and it did worked:

C:\Program Files\Windows Azure SDK\v1.5\bin>csupload add-servicecertificate -Connection "SubscriptionID=<SUBSCRIPTION_ID>;CertificateThumbprint=<MGMT_CERT_THUMBPRINT>" -HostedServiceName "testcodewp"
-Thumbprint "b28daea93e520d85391987c6a6efb52be9278195" -PublicKeyOnly
Windows(R) Azure(TM) Upload Tool version 1.5.0.0
for Microsoft(R) .NET Framework 3.5
Copyright (c) Microsoft Corporation. All rights reserved.

arg[0]="add-servicecertificate"
arg[1]="-Connection"
arg[2]="*********************"
arg[3]="-HostedServiceName"
arg[4]="testcodewp"
arg[5]="-Thumbprint"
arg[6]="b28daea93e520d85391987c6a6efb52be9278195"
arg[7]="-PublicKeyOnly"
Uploading service certificate to 'testcodewp'.
Service certificate upload complete.
FriendlyName :
Thumbprint : B28DAEA93E520D85391987C6A6EFB52BE9278195
Subject : CN=Avkash Windows Azure Account
IssuedBy : CN=Avkash Windows Azure Account
ValidFrom : 12/31/2010 11:00:00 PM
ValidTo : 12/31/2014 11:00:00 PM
HasPrivateKey : False

When you use Windows Azure tool (in publish wizard) to create certificate, the private key is exportable in all the certificates. This could happen only:

-           When you created your own certificate and you have missed to add option to make private key exportable

-           You got a certificate which does not have exportable private key

 

If you have created your own certificate using makecert then please add the –“pe” option.

Learn more @ http://blogs.msdn.com/b/avkashchauhan/archive/2011/09/21/how-to-generate-2048-bit-certificate-with-makecert-exe.aspx

Leave a Comment
  • Please add 6 and 4 and type the answer here:
  • Post
  • Once again, your writing is very streamline and it seems you do not miss any step. This is very good for someone who is very new in technology. Very great post.

  • Once again, your writing is very streamline and it seems you do not miss any step. This is very good for someone who is very new in technology. Very great post.

Page 1 of 1 (2 items)