All geek questions in one place

Unable to install certificate from .pfx file

I am trying to install a certificate on my local computer (Win Server 2003) with class X509Certificate2 in a C # console application. When I install the certificate with the following code, everything is fine:

var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine); serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite); cert = new X509Certificate2(certificatePath); serviceRuntimeMachineCertificateStore.Add(cert); serviceRuntimeMachineCertificateStore.Close();

The problem is that the private key of the certificate is not saved when it is installed without X509KeyStorageFlags.PersistKeySet. Therefore, I tried to create such a certificate (the private key does not have a password, so I pass an empty string):

 var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine); serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite); cert = new X509Certificate2(certificatePath, "", X509KeyStorageFlags.PersistKeySet); serviceRuntimeMachineCertificateStore.Add(cert); serviceRuntimeMachineCertificateStore.Close();

But an attempt to initialize the certificate throws a System.Security.Cryptography.CryptographicException "Failed to load the certificate: the specified network password is incorrect", although the private key does not have a password.

If I import a certificate into the Microsoft Management Console without specifying a password, it works fine.

Does anyone know how to do this programmatically?

+3
source share
4 answers

If anyone has a similar problem: I managed to install the certificate and save the private key in another way. I found a WinHttpCertCfg command-line tool that you can get from here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp

Then I invoke this command line tool programmatically to install the certificate. This site gave me a hint on how to use it: weblogs.asp.net/hernandl/archive/2005/02/09 / ...

Cheers Chris

0
source

If you try to create an X509Certificate2 instance with a blank password in Windows XP or Windows 2003, "Failed to load certificate: the specified network password is incorrect." an exception will be thrown.

If possible, try creating a certificate with a password that is not empty. Then everything should be fine.

+3
source

Are you doing this from a workflow or some other issued process? it can only be that the authentication that your process uses WITHOUT loading an authentication user profile, which does not seem to result in access to the user certificate store.

I had a similar problem when loading the x509 certificate with private keys from ASP.Net/IIS processes, and enabling profile loading for the processed worker did the trick

0
source

Hope this helps someone (and extend the answer to uGeeen:

User "SC" specifies the following requirement for certificate passwords in Windows XP and Windows Server 2003.

 0 < password.Length < 32

I saw conflicting messages about whether 32 is allowed. I can confirm that I used a 32-character password (MD5 hash) and truncating it to 30 characters fixed the problem.

0
source

Source: https://habr.com/ru/post/1486896/

More articles:


All Articles