1

I'm working with X509 certificates and have a MyCert.pfx file that contains the certificate and both public and private keys. It happens that I exported this certificate from a certificate store on my local machine.

My goal is to pretend I'm on a different machine and read the PFX file and make a new X509Certificate2 from the data and password that I have.

I can do that successfully on my own machine as long as I add the UserKeySet flag to the constructor call.

var flags = X509KeyStorageFlags.UserKeySet;
var cert = new X509Certificate2(certKeyData, certPwd, flags);

What bothers me is that my constructor call fails ("Access denied.") without the UserKeySet flag. I know I need the flag to point to my local (personal) certificates in the machine store, but the real question is why the constructor is looking into my personal or machine key stores at all. I'm trying to pretend I'm on a different machine that has no such store.

Q. Should I be able to create an X509Certificate2 WITHOUT looking in a store on my local machine? If not, why not? Isn't the certificate just a pile of bytes that is unrelated to any key store on any particular machine? Can they exist without reference to, or accessing, a local store? Thank you.

Kevin
  • 1,548
  • 2
  • 19
  • 34
  • You should edit your title. Have you looked at: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.-ctor?view=net-6.0#system-security-cryptography-x509certificates-x509certificate2-ctor(system-string-system-string). With that constructor, you point at a PFX file (that includes the private key) and you pass in a password – Flydog57 Jun 27 '22 at 23:12
  • It's a bit of a saga, but I think https://stackoverflow.com/questions/52750160/what-is-the-rationale-for-all-the-different-x509keystorageflags/52840537#52840537 might help you understand what's going on (the build up + explanation of the UserKeySet flag) – bartonjs Jun 27 '22 at 23:14
  • @Flydog57 Thank you for your suggestion. Yes, I have spent many hours with the Microsoft docs, including the link you provided. My original code did NOT use the flags, and was the API you pointed at. But it would always fail with "Access Denied." As soon as I provided the UserKeySet flag (from some other SO post), the code worked okay. I concluded that the constructor must be accessing a local store on my machine and that UserKeySet directed it to the store where I had access. – Kevin Jun 27 '22 at 23:59
  • @bartonjs Thank you for that link. It was surely helpful. I can see that the Windows designers like the idea of always working with certs against stores of some kind. And I have hope that the combination ```PKCS12_NO_PERSIST_KEY / X509KeyStorageFlags.EphemeralKeySet``` might work for me. All I need is to manage the pub/private RSA keys, so maybe I'll just generate those a different way and skip the whole idea of using a cert as a container. – Kevin Jun 28 '22 at 00:08
  • 1
    @bartonjs The ```EphemeralKeySet``` flag also worked for me. Thanks to your post, I now understand what is happening. The default (no flags argument) is supposed to be ```UserKeySet```, which specifies that importing should persist to the current local user store. (No flags gave Access Denied, UserKeySet flag worked okay; thus UserKeySet alone is not the default.) Ephemeral is what I want, and specifies no persisting of the keys. Thank you for your post! – Kevin Jun 28 '22 at 00:16

0 Answers0