Why does self signed PFX X509Certificate2 private key raise a NotSupportedException?

Question

I created a self signed PFX X509Certificate2 (using this answer) but for some reason, the private key of the certificate is throwing a NotSupportedException despiste a true HasPrivateKey property.

string password = "MyPassword";

ECDsa ecdsa = ECDsa.Create();
CertificateRequest certificateRequest = new CertificateRequest("cn=foobar", ecdsa, HashAlgorithmName.SHA256);
X509Certificate2 cert = certificateRequest.CreateSelfSigned(DateTimeOffset.Now, DateTimeOffset.Now.AddYears(5));

File.WriteAllBytes("e:\\mycert.pfx", cert.Export(X509ContentType.Pfx, password));

//I tried to load the with every flag without success...
X509Certificate2 loadedCert = new X509Certificate2("e:\\mycert.pfx", password);
if (loadedCert.HasPrivateKey)
{
    //loadedCert.HasPrivateKey is true but loadedCert.PrivateKey raise a NotSupportedException... 
    using (RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)loadedCert.PrivateKey)
    {
        byte[] encryptedBytes = rsa.Encrypt(Encoding.UTF8.GetBytes("Hello"), false);
        byte[] decryptedBytes = rsa.Decrypt(encryptedBytes, false);
        string result = Encoding.UTF8.GetString(decryptedBytes);
    }
}

Some have mentioned that calling the Export of the certificate would fix the private key but it didn't work for me. I'm probably missing something but I can't figure what it could be. Is there a missing parameter somewhere?

ECDSA and RSA are completely different and incompatible algorithms. — President James K. Polk, Nov 14 '19 at 20:45

score 4 · Accepted Answer · answered Nov 14 '19 at 20:55

You are creating ECDSA key pair, while X509Certificate2.PrivateKey supports only DSA and RSA private keys that are stored in legacy cryptographic service provider (CSP). ECDSA is always stored in key storage provider (KSP) which is not supported by this property. Instead, you must use GetECDsaPrivateKey extension method: GetECDsaPrivateKey(X509Certificate2)

score 1 · Answer 2 · answered Nov 14 '19 at 20:59

1

there are two types of algorithms for public-key cryptography(RSA and ECC). the problem is you are creating an ECC (I.E ECDsa) and then you are trying to get it as an RSA private key. which is definitely not correct. what you should do here is to use one algorithm on both sides so. 2. if you only want to Encrypt and then Decrypt piece of data, why using X509Certificate2, use AES instead. which is meant for this purpose.

answered Nov 14 '19 at 20:59

F_IVI_L

940
9
17

There are way more than two :). (Integer Field) Diffie-Hellman, RSA, DSA, ECC (which breaks down into ECDH, ECDSA, EC-MQV, EdDSA, ...), whichever GOST algorithms apply, lattice things are in the works, et cetera. – bartonjs Nov 14 '19 at 21:01

Why does self signed PFX X509Certificate2 private key raise a NotSupportedException?

2 Answers2

Linked