5

I am trying to load a certificate from a pfx file in a WPF application and it gives me an access denied error. 

using (FileStream stream = System.IO.File.OpenRead(certificatePath))
{
    using (BinaryReader reader = new BinaryReader(stream))
    {
        buffer = reader.ReadBytes((int)stream.Length);
    }
}

X509Certificate2 certificate = new X509Certificate2(buffer, password);

System.Security.Cryptography.CryptographicException: Access denied.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password) at HelloWorld.HelloClient.Models.Infrastructure.ReadCertificateFromPfxFile(String certificatePath, String password)

The last line in snippet is causing an exception, and if I run it as an administrator it works fine. The issue seems to be the default constructor of X509Certificate2 tries to put private key in the user store. I am not using web application. this post doesn't resolve my issue. I think the current user might not have access to his own private key store. But how can I give that access?

Shiju Samuel
  • 1,373
  • 6
  • 22
  • 45
  • Possible duplicate of [X509Certificate Constructor Exception](http://stackoverflow.com/questions/9951729/x509certificate-constructor-exception) – MethodMan Jun 23 '16 at 17:54
  • @MethodMan Its talking about web application and fixes in the IIS. I have WPF app how can I give permission to user store? – Shiju Samuel Jun 24 '16 at 00:39

5 Answers5

10

Posting a fix if someone looking for a solution for similar issue. I ran sysinternal process monitor and realized the constructor call was creating a key in machine key folder and gave user access to write on machine key.

Shiju Samuel
  • 1,373
  • 6
  • 22
  • 45
9

In my situation, it was due to the lack of write access to the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.

My user was having only having the Read Access and once I granted the Write access it worked fine.

dinith jayabodhi
  • 531
  • 2
  • 8
  • 19
1

Just in case it helps someone, "CryptographicException: Access denied" can be caused by lack of space in the disc, that was my case.

coconochao
  • 141
  • 7
1

Getting the same CryptographicException: Access denied error when trying to load X509Certificate2, the solution is to grant read/write to the *MachineKeys * directory.

  1. open a CMD or Powershell with Admin priv.
  2. execute below command to grant everyone read/write: icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /inheritance:r /grant Administrators:F /grant:r Everyone:RW

More about permission on this dir: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/default-permissions-machinekeys-folders

LeOn - Han Li
  • 9,388
  • 1
  • 65
  • 59
  • Note: Those group / user names are specific to the current culture set, use ```icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /inheritance:r /grant Administratoren:F /grant:r Jeder:RW``` for german language, eg. – Sven Mawby Dec 30 '22 at 17:17
0

I found it's easier to use the p12 certificate because it doesn't use the key store. I used firefox to convert pfx to p12.

crane
  • 1