Key not valid for use in specified state when configuring OAuth2 Realm with RSA signing algorithm

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth Idp Version affected:  All



    The following error message for the OAuth2 realm configuration with RSA Signing Algorithm is generated in the Debug.log, but HMAC can correctly authenticate.

    <Root><EventID>-1</EventID><Timestamp>2/28/2017 3:42:47 AM</Timestamp><SeverityLevel>Verbose</SeverityLevel><Priority>-1</Priority><Message>IdentityModel: [AuthorizeEndpoint].[ProcessConsent]: Exception: System.Security.Cryptography.CryptographicException: Key not valid for use in specified state.

    at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) 
    at System.Security.Cryptography.Utils._ExportKey(SafeKeyHandle hKey, Int32 blobType, Object cspObject) 
    at System.Security.Cryptography.RSACryptoServiceProvider.ExportParameters(Boolean includePrivateParameters) 
    at SecureAuth.IdentityModel.OpenIDConnect.Services.TokenService.SignJwtToken(RealmElement realmConfig, ClientElement client, List`1 claims, String[] audience) 
    at SecureAuth.IdentityModel.OpenIDConnect.Services.TokenService.CreateIdentityToken(String jti, RealmElement realmConfig, ClaimsPrincipal subject, ClientElement client, String nonce, String atHash, String cHash) 
    at SecureAuth.IdentityModel.OpenIDConnect.Handlers.AuthorizeEndpointHandler.ProduceResponseContent() 
    at SecureAuth.IdentityModel.OpenIDConnect.Endpoints.AuthorizeEndpoint.DeliverResponseContent() 
    at SecureAuth.IdentityModel.OpenIDConnect.Endpoints.AuthorizeEndpoint.ProcessConsent()</Message></Root>



    This error is likely due to the private key not being marked as exportable in the Windows certificate store. Test by either using a certificate with an exportable private key or re-import the current certificate with the option selected for the private key to be exportable. 



    If the export private key option is not active, it will be necessary to locate and import another Cert with this option enabled.

    Note that actually exporting the private key is not required but the certificate present in the Certificate Console  needs to already have this capability,  meaning that when the certificate is right-clicked | All tasks | Export  - the option "Yes, export the private key"  should be active and should be possible to select it.


    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.