A couple of days ago i didn’t have a binary version of OpenSSL around so i decided to use Makecert.exe. I generated a couple of test certificates and started playing around with them.

Whenever i tried to decrypt an instance of EncryptedXml a CryptographicException (“Bad Key.”) was thrown and when i tried to use a mutualCertificate11Security assertion (WSE 3.0) the same CryptographicException (“WSE600: Unable to unwrap a symmetric key using the private key of an X.509 certificate. Please check if the account ‘ASPNET’ has permissions to read the private key of certificate with subject name… “) was thrown.

The problem is that by default, makecert.exe generates a key type that is suited for signature. If you want to use the key for other purposes than signing (eg: SSL authentication) you have to use the -sky exchange option. The following commands made my problems disappear:

makecert -n "CN=Client" -pe -ss My -sr CurrentUser -sky exchange client.cer
makecert -n "CN=Host" -pe -ss My -sr LocalMachine -sky exchange host.cer