4

I am trying to install a certificate on my local machine (Win Server 2003) with the X509Certificate2 class in a C# test console application. When I install the certificate with the following code, everything is fine:

var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite);
cert = new X509Certificate2(certificatePath);
serviceRuntimeMachineCertificateStore.Add(cert);
serviceRuntimeMachineCertificateStore.Close();

Problem is, that the private key of the certificate is not persisted, when installed without the X509KeyStorageFlags.PersistKeySet. So I tried to instanciate the certificate like this (the private key has no password, so I pass in an empty string):

var serviceRuntimeMachineCertificateStore = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
serviceRuntimeMachineCertificateStore.Open(OpenFlags.ReadWrite);
cert = new X509Certificate2(certificatePath, "", X509KeyStorageFlags.PersistKeySet);
serviceRuntimeMachineCertificateStore.Add(cert);
serviceRuntimeMachineCertificateStore.Close();

But trying to instanciate the certificate throws a System.Security.Cryptography.CryptographicException "Failed to load certificate: The specified network password is not correct.", even though the private key has no password.

If I import the certificate in the Microsoft Management Console without specifying a password it works great.

Does anybody know how to do this programmatically?

Christopher
  • 517
  • 1
  • 4
  • 15

4 Answers4

3

If you try to create an instance of X509Certificate2 with an empty password on Windows XP or Windows 2003, the "Failed to load certificate: The specified network password is not correct." exception will be thrown.

If you can, try to create a certificate with a password which is not empty. Then everything should be fine.

uGeeen
  • 31
  • 1
  • 6
  • I ran into the same problem on Windows XP SP3 and could fix it by using the X509Certificate2 constructor version that doesn't take a password – NineBerry Dec 12 '13 at 15:29
1

Hopefully this will help somebody (and to expand on uGeeen's answer:

User "S C" points out the following requirement for certificate passwords on Windows XP and Windows Server 2003.

0 < password.Length < 32

I have seen conflicting reports on whether 32 is allowed. I can confirm that I was using a 32 character password (an MD5 hash), and truncating it to 30 characters fixed the issue.

Millie Smith
  • 4,536
  • 2
  • 24
  • 60
0

are you doing it from worker process or some other impersonated process? it may be just that the identity your process uses is initialized WITHOUT loading the identity user's profile, what seems to result with no access to the user's cerificate store.

i've had similar problem when loading a x509 cert with private keys from within ASP.Net/IIS proces, and turning on profile-loading for worker processed did the trick

quetzalcoatl
  • 32,194
  • 8
  • 68
  • 107
0

In case anybody has a similar problem: I managed to install the certificate and persist the private key in another fashion. I found the WinHttpCertCfg command line tool that you can get from here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winhttp/http/winhttpcertcfg_exe__a_certificate_configuration_tool.asp

I then call this command line tool programmatically to install the certificate. This site gave me a hint on how to use it: weblogs.asp.net/hernandl/archive/2005/02/09/…

Cheers, Chris

Christopher
  • 517
  • 1
  • 4
  • 15