05-23-2022 02:47 AM
Our customer is having issues with GP 5.2.10-6 on Windows 11. They are using client certificates for authentication and after a while a connection fails due to no client certificate present. If we check MMC the certificate is present, valid and has private key.
But GP logs say:
(P9292-T12792)Error(2290): 05/23/22 07:03:00:014 error = ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY
(P9292-T12792)Debug(2377): 05/23/22 07:03:00:014 winhttpObj, got ERROR_WINHTTP_CLIENT_CERT_NO_ACCESS_PRIVATE_KEY, clean cert cache now
(P9292-T12792)Debug(4578): 05/23/22 07:03:00:014 winhttpobj, cert do not has private key???? clean lastIssuerName now, data = 0000000000000000
There is a reddit post about it:
But nothing on PA forums or KB. How many ppl are having similar issues? Any more info from PA support about this?
05-23-2022 01:36 PM - edited 05-23-2022 01:37 PM
I had this exact same problem a few weeks ago on a PC which the user had upgraded to Win11 (without permission but..).
The problem is that the upgrade broke permissions for the GP client to access the private key, but it could read the public portion of the certificate just fine. Using MMC, nothing was apparent as being wrong. The fix is to manually export the user's certificate, including the private key, and save it. Delete the certificate from the user's cert store. Then re-import the saved key back into the certificate store. The GP client will now be able to read the private key. Alternatively, you can delete the old certificate and regenerate it (though you probably need to be connected/domain joined to do that in most cases).
See my previous thread:
05-23-2022 11:31 PM
Thank you for info @Adrian_Jensen
In our case it's fresh installations of Windows 11. First the access with GP works for a couple of days, weeks, months... and then it stops. After that the new client certificate has to be installed and the access starts working again.
05-24-2022 08:27 AM
If you export/re-import the old certificate does it work again? Or does it have to be a new certificate?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!