6

I have a simple ASPNET-Core 2 web app on Azure App Services. When I try and load the pfx file, I get the following error:

WindowsCryptographicException: The system cannot find the file specified Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)

I'm trying to load a pfx file, which exists in the wwwroot folder.

Problematically, I have proven that the pfx file exists.

I then have tried to load the X509 cert via these two ways:

clientCertificate = new X509Certificate2(certificateByteArrayData, pfxPassword);

and

clientCertificate = new X509Certificate2(filePath, pfxPassword);

if I have a bad password, I get a correct-bad-password exception.

But with a (what I believe to be is) legit path + password or loaded bytes + password, I get that error, above.

It's like the certificate is trying to do some weird admin-type-thingy on the server and doesn't have permission? Which I don't understand because I have the cert there and I just want to use it?

I know there's other ways to do this with Loading SSL Certs or using Azure Vault or other people have found similar problems but are related to 'user stores' etc, while here I thought this has nothing to do with it?

halfer
  • 19,824
  • 17
  • 99
  • 186
Pure.Krome
  • 84,693
  • 113
  • 396
  • 647

1 Answers1

9

It looks like I had to add an extra parameter to say use the Machine storage.

// Byte array.
var clientCertificate = new X509Certificate2(certificateData, 
                                pfxPassword, 
                                X509KeyStorageFlags.MachineKeySet);

// File name
var clientCertificate = new X509Certificate2(pfxFileNameAndPath, 
                                pfxPassword, 
                                X509KeyStorageFlags.MachineKeySet);

This SO answer basically suggested the answer

Even though you are reading the certificate from disk and storing it in an object the private keys are still stored in the Microsoft Cryptographic API Cryptographic Service Provider key database. On the hosting server the ASP.NET process does not have permission to access the user store.

Boom! That said, I still don't understand why it's trying to access some store considering I am giving the password and file.

/me shrug

No Refunds No Returns
  • 8,092
  • 4
  • 32
  • 43
Pure.Krome
  • 84,693
  • 113
  • 396
  • 647
  • The link suggesting the answer no longer works. But I thank you for this answer, saved me a fair bit of time. – WooHoo Aug 07 '19 at 14:36