3

I have installed certificate on local machine store (win7) with private key. In c# code I do that:

        X509Certificate2 cert = null;
        var store = new X509Store(storeName, storeLocation);
        store.Open(OpenFlags.ReadOnly);
        try
        {
            var result = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);
            ServicePointManager.Expect100Continue = true;
            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
            ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
            cert = result.Count > 0 
                ? result[0] 
                : null;
        }
        finally
        {
            store.Close();
        }
        return cert;

In cert variable I have my certificate BUT something wrong with it: HasPrivateKey is true but PrivateKey has no any object. And if I send it with REST request in C# code of my web application I have errors:

AcquireCredentialsHandle() failed with error 0X8009030D.
The request was aborted: Could not create SSL/TLS secure channel.

All rights is granted for certificate in store. Please help with it, what is wrong?

Certutil result in Russian (I hide secure info with "***"):

certutil -store my "cf 35 63 34 14 30 a0 32 ca 4a 58 b9 7a 7a ab 18 a4 47 7d a4"
================ Сертификат 0 ================
Серийный номер: 100030
Поставщик: ******************************
 NotBefore: 07.07.2015 5:00
 NotAfter: 24.12.2023 4:59
Субъект: ********************************
Не корневой сертификат
Шаблон:
Хеш сертификата(sha1): cf 35 63 34 14 30 a0 32 ca 4a 58 b9 7a 7a ab 18 a4 47 7d a4
  Контейнер ключа = 94c3b04b44d51674a1b7de89c10bd7d7_09614f03-cc81-44e6-a978-81773242876c
  Простое имя контейнера: CertReq-ceda22d5-2893-496a-b8c1-5c9ceaed82f1
  Поставщик = Microsoft Strong Cryptographic Provider
Тест шифрования пройден
NanoDemoN
  • 31
  • 1
  • 6
  • 1
    can you show the result of the following command: `certutil -store my "thumbprint"`. Replace `thumbprint` with actual value. I suspect that the key uses CNG provider. – Crypt32 Jul 07 '15 at 17:23
  • Added certutil result in first post. – NanoDemoN Jul 08 '15 at 08:21
  • the cert looks ok. Actual error is "The credentials supplied to the package were not recognized". Maybe this makes some sense for you? – Crypt32 Jul 08 '15 at 08:26
  • Who is the root authority? The most likely scenario is that other side of communication doesn't trust it. As for PrivateKey being null, this information typically is not extracted from store. You don't want to send your private key to another party, after all. – IMil Jul 08 '15 at 08:29
  • Thanks for the tip. I just found the answer here: http://stackoverflow.com/questions/23329040/pushsharp-apns-production-the-credentials-supplied-to-the-package-were-not-reco . I deleted certificate from machine store, then export installed cerificate from current user store to .pfx file and import it in machine store. Now PrivateKey has object BUT I still can`t to receive response from server - request aborted by timeout. But I have correct response from server in Chrome browser with Postman. Are there any ideas? – NanoDemoN Jul 08 '15 at 09:56
  • The answer is here: https://msdn.microsoft.com/ru-ru/library/system.net.securityprotocoltype(v=vs.110).aspx . Win7 works correctly with SecurityProtocolType.Tls12 only. Thanks for all. – NanoDemoN Jul 08 '15 at 10:57

1 Answers1

0

I've figured the problem. I deleted certificate from machine store, then export installed cerificate from current user store to .pfx file and import it in machine store. Now PrivateKey has object. Onse more step, I changed protocol type from Tls to Tls12(works for Win7+):

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
NanoDemoN
  • 31
  • 1
  • 6