Learning never exhausts the mind
Home >  Technology > Privacy & Security > SHA-256 and Cryptographic Service Provider Types

By

SHA-256, SHA-384 and SHA-512 XML signatures require the Microsoft Enhanced RSA and AES Cryptographic Provider. When trying to sign data using SHA-256 on another provider type you may encounter the exception System.Security.Cryptography.CryptographicException: Invalid algorithm specified.

If the private key isn't associated with the correct Cryptographic Service Provider (CSP), it can be converted to specify the Microsoft Enhanced RSA and AES Cryptographic Provider.

One method to perform this conversion is to use OpenSSL.

Windows binaries are available for download. Refer to the OpenSSL Wiki.

The following command outputs information about the private key and certificate including the CSP.

openssl pkcs12 -in idp.pfx

Enter Import Password:
MAC verified OK
Bag Attributes
    localKeyID: 01 00 00 00
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
    friendlyName: PvkTmp:b143944f-c289-4e3c-b9cc-37ce1e8ada19
Key Attributes
    X509v3 Key Usage: 10
 
The Microsoft Strong Cryptographic Provider is suitable for SHA-1 XML signatures but doesn't support SHA-256 XML signatures.

The PFX can be recreated specifying the required CSP. Firstly, it must be converted from PKCS12 to PEM format.

openssl pkcs12 -in idp.pfx -out idp.pem

Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

Then it must be converted back to PKCS12 specifying the Microsoft Enhanced RSA and AES Cryptographic Provider.

openssl pkcs12 -export -in idp.pem -out new-idp.pfx -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

Loading 'screen' into random state - done
Enter pass phrase for idp.pem:
Enter Export Password:
Verifying - Enter Export Password:

The new PFX file is now ready for generating SHA-256, SHA-384 and SHA-512 XML signatures.

 

Sharing is caring!

If you enjoyed this post, please share it with others. Click one of the social media buttons below to share on Facebook, Twitter, LinkedIn, Pinterest or email to a friend.

Further Reading
How To Configure HTTPS with Apache and Let’s Encrypt on Ubuntu 16.04
How To Configure HTTPS with Apache and Let’s Encrypt on Ubuntu 16.04

SSL certificates are used within web servers to encrypt the traffic between the server and client, providing extra security for users accessing your application. Let's Encrypt provides an easy way to obtain and install trusted certificates for free.

Read More
Ultimate Guide to SSL for the Newbie
Ultimate Guide to SSL for the Newbie

This is a guide to SSL, how it works, and it provides the total newbie with the right information needed to get started with secure online transactions.

Read More
History of Cryptography
History of Cryptography

Everyone has something to hide, and thanks to the latest developments in codes and encryption, the art of concealment have never been easier.

Read More
Simple String Encryption and Decryption with C#
Simple String Encryption and Decryption with C#

In this tutorial, we will look at implementing the cryptography object in C# to encrypt and decrypt information, either passwords or connection strings and prevent unauthorised eyes from prying at your passwords.

Read More
One thought on “SHA-256 and Cryptographic Service Provider Types
  • PEDRO HENRIQUE ARANTES E SILVA
    4th July 2018 at 12:00 am

    Thank you, work like a charm!

    Reply

Leave a Reply

Fields marked with * are mandatory.

We respect your privacy, and will not make your email public. Hashed email address may be checked against Gravatar service to retrieve avatars. This site uses Akismet to reduce spam. Learn how your comment data is processed.