Archive

Archive for May, 2018

Biztalk 2016 wants to disable private key protection

Biztalk 2016 failed to receive AS/2 messages with this error:

The MIME encoder failed to sign the message because the certificate has private key protection turned on or the private key does not exist. Please disable private key protection to allow BizTalk to use a certificate for signing.

Sounds straightforward except that private key protection was disabled already. And the user profile for the Biztalk user was loaded, nothing wrong there. I went through the documentation several times, nothing wrong. Finally I found that it was the cryptographic provider.

Basically the problem is that Biztalk 2016 still relies on the ancient .NET 3.5, which lacks support for KSP. Check the certificate:


certutil -p password cert.pfx

If it says “Provider = Microsoft Software Key Storage Provider” then Biztalk will fail and complain about private key protection. Fix it with openssl:


openssl pkcs12 -in my-original-cert.pfx -out temp.pem
openssl pkcs12 -export -in temp.pem -out my-fixed-cert.pfx

Import my-fixed-cert.pfx to the personal certificate store (and if self-signed also import as CA key). Update Biztalk to use the updated certificate and hopefully the problem should be solved. If you are starting from scratch, specify the old provider instead:


New-SelfSignedCertificate -Provider "Microsoft Strong Cryptographic Provider" ...
Advertisements
Categories: Windows