Error Ssl Context Is Not Usable Without Certificate And Private Key

Posted on |

Symptoms or Error

The even more uncommon case of no certificates at all. SSL/TLS can also be used without certificates at all, i.e. Not even at the server side. In this case authentication is done with other methods, like a secret key pre-shared between client and server (PSK). These methods are rarely used and browsers don't support these. This article will show you how to correct the 'No Private Key' error message in Windows Internet Information Server (IIS). If you receive this error, it indicates that a previous attempt to import the certificate in IIS failed to include the private key. To correct this, you will. 2016-04-28T20:45Z 0 Warning Failed to set up SSL because of the following SSL library error: SSL context is not usable without certificate and private key. I was under the impression it was supposed to auto generate one.

When configuring the certificate for the Citrix Secure Gateway Server, the following error message appears:

'The server certificate specified is unusable.'

Solution

Solution 1

Ensure the Private key for the Certificate is available.

Solution 2

Ensure the permissions are correct for MachineKeys folders. The MachineKeys folder is located at the All Users ProfileApplication DataMicrosoftCryptoRSA folder. The following settings are the default permissions for the MachineKeys folder:

  • Administrator (Full Control) This folder only
  • Everyone (Special) This folder, subfolders, and files
  • SYSTEM (Full Control) This folder, subfolders, and files

The Everyone group, select the following Special permissions:

  • List Folder/Read Data
  • Read Attributes
  • Read Extended Attributes
  • Create Files/Write Data
  • Create Folders/Append Data
  • Write Attributes
  • Write Extended Attributes
  • Read Permissions

For more information regarding the default permissions on MachineKeys folders, refer to this Microsoft article -Default permissions for the MachineKeys folders.

Problem Cause

Error Ssl Context Is Not Usable Without Certificate And Private Key

Cause 1

The Server Certificates contained in the Local Computers Personal Store are queried.

The Private Key is not available.

See Page 17 and 95 of CTX112429 – Secure Gateway for Windows Administrator's Guide.
Page 17 - Improved certificate selection. The Secure Gateway Configuration wizard prevents the selection of a certificate that does not have a private key.
Page 95 - When you view the certificate, ensure that it contains a key icon and the caption “You have private key that corresponds to this certificate” at the bottom of the General tab. The lack of an associated private key can result in the CSG0188 error.

Error Ssl Context Is Not Usable Without Certificate And Private Key Bank

Cause 2

The permissions for MachineKeys folders (All Users ProfileApplication DataMicrosoftCryptoRSA) are misconfigured.

Additional Resources

Error Ssl Context Is Not Usable Without Certificate And Private Keyboard

Extracted from Page 85 of CTX112429 – Secure Gateway for Windows Administrator's Guide:

Certificate Requirements

Error Ssl Context Is Not Usable Without Certificate And Private Keys

Load balancing relies on the use of a virtual IP address. The virtual IP address is bound to an FQDN and all clients request connections from the virtual IP address rather than the individual servers running the Secure Gateway behind it. A single IP address, the virtual IP, acts as an entry point to your servers running the Secure Gateway, simplifying the way clients access Web content, published applications, and services on computers running Citrix Presentation Server. If you are using a load balancing solution, all servers running the Secure Gateway can be accessed using a common FQDN; for example, csgwy.company.com. In conclusion, you need a single server certificate, issued to the FQDN (mapped to the virtual IP or DNS name) of the load balancing server. The certificate must be installed on every server running the Secure Gateway in the server array that is being load balanced.