2

on a WS-federation application using system.identity.model, one CNG certificate is causing me trouble.

First of all, I got this error:

Error: 'ID1039: The certificate's private key could not be accessed. Ensure the access control list (ACL) on the certificate's private key grants access to the application pool user. [...] Invalid provider type specified.

I discoverd that a cng certificate does not appear to be compatible with system.identityModel. Then I followed these step to convert my cng private key to RSA private key. The new certificate work perfectly well on my computer (w10) or even another windows server 2012.

I made a small program to check. Before converting, HasCngKey is true, GetCngPrivateKey return "System.Security.Cryptography.CngKey", and of course, PrivateKey throw invalid provider type exception.
After converting, HasCngKey is false and I can get the private key with cert.PrivateKey.

But on the client uat environment, for the same new certificate, HasCngKey is still true, but GetCngPrivateKey throw "System.Security.Cryptography.CryptographicException: Keyset does not exist" and cert.PrivateKey still throw Invalid provider type specified, as if the key was still cng.

Does anyone have an idea of why it work on some machine but not the good one?

Community
  • 1
  • 1
dufaux
  • 681
  • 2
  • 8
  • 18
  • If the Exponent value of the key is larger than a uint32_t (4 bytes) then CAPI can't load it at all and it gets forced as CNG (and in that case cert.PublicKey.Key will also fail). – bartonjs Feb 27 '17 at 16:23
  • You might also want to try upgrading to .NET 4.6.2; most of the situations where the framework didn't like CNG certificates have been fixed in that version (though non-framework code might still do the wrong things). – bartonjs Feb 27 '17 at 16:24

0 Answers0