60

I have a certificate generated via MakeCert. I want to use this certificate for WCF message security using PeerTrust. How can I programmatically install the certificate into the "trusted people" local machine certificate store using c# or .NET?

I have a CER file, but can also create a PFX.

J Davis
  • 730
  • 1
  • 6
  • 9
  • Btw - i know the details of Makecert and trust. Please, just looking for suggestions on installing the certificate using programmatic c# or installshield. thanks! – J Davis Feb 19 '09 at 18:38
  • any idea how to do this in c program?? any API in windows?? – 2vision2 May 24 '12 at 05:01

4 Answers4

66

I believe that this is correct:

using (X509Store store = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine)) 
{
   store.Open(OpenFlags.ReadWrite);
   store.Add(cert); //where cert is an X509Certificate object
}
Tim Rogers
  • 21,297
  • 6
  • 52
  • 68
Demi
  • 6,147
  • 7
  • 36
  • 38
  • 1
    This installs certificate successfully, But when I opens Manage Private Keys option for private key in personal store, it gives "no keys found for certificate" error. – mit Dec 08 '16 at 10:34
  • 2
    I guess this answer;s now void as X509Store is not disposable. – Ash Burlaczenko Nov 23 '17 at 11:15
  • @mit did you find a solution for "no private key found for this certificate"? – samir105 Jan 06 '18 at 07:08
  • @mit Were you looking at the "CurrentUser" store? then you need to change the `StoreLocation` to `StoreLocation.LocalMachine`. – Chung Lun Yuen Dec 14 '18 at 11:28
48

The following works good for me:

private static void InstallCertificate(string cerFileName)
{
    X509Certificate2 certificate = new X509Certificate2(cerFileName);
    X509Store store = new X509Store(StoreName.TrustedPublisher, StoreLocation.LocalMachine);

    store.Open(OpenFlags.ReadWrite);
    store.Add(certificate);
    store.Close();
}
  • 4
    For storing certificate in `Personnel` node, choose the enum value as `StorName.My`. For storing certificate in `Trusted Root Certification Authorities` node, choose the enum value as `StorName.Root`. – RBT Jul 01 '21 at 09:05
8

Instead of installing the certificate to LocalMachine which requires elevated privileges you can add it to "CurrentUser" (works for me).

X509Store store = new X509Store(StoreName.TrustedPeople, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
store.Add(cert); //where cert is an X509Certificate object
store.Close();
user1799563
  • 171
  • 1
  • 8
  • Thanks for this. This was preferable for me as this will be running in a self hosted service that is executed (multiple instances) at runtime. No way to provide UAC prompt. Thanks again! – CodeWarrior Jan 10 '14 at 22:35
4

I had to use X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet flags to resolve "Keyset does not exist" error that occurred later on attempt to use the certificate:

X509Certificate2 certificate = new X509Certificate2(pfxPath, password, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet);
using (X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
     store.Open(OpenFlags.ReadWrite);
     store.Add(certificate);
     store.Close();
}

Thanks to this article: Private key of certificate in certificate-store not readable

Dmitry
  • 41
  • 2