1

I have generated my own cert to use in my .NET 6 API. I have added the following to the appsettings.json (Password not used for production :P )

  "Kestrel": {
    "Endpoints": {
      "Https": {
        "Url": "https://*:5409",
        "Certificate": {
          "Path": "D:\\supercertificate.pfx",
          "Password": "Password!"
        }
      }
    }
  },

On startup I have the following error: screenhost

Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException
  HResult=0x80090010
  Message=Access denied.
  Source=System.Security.Cryptography.X509Certificates
  StackTrace:
   at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(ReadOnlySpan`1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
   at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(ReadOnlySpan`1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Certificates.CertificateConfigLoader.LoadCertificate(CertificateConfig certInfo, String endpointName)
   at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Reload()
   at Microsoft.AspNetCore.Server.Kestrel.KestrelConfigurationLoader.Load()
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.<BindAsync>d__33.MoveNext()
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerImpl.<StartAsync>d__30`1.MoveNext()
   at Microsoft.AspNetCore.Hosting.GenericWebHostService.<StartAsync>d__37.MoveNext()
   at Microsoft.Extensions.Hosting.Internal.Host.<StartAsync>d__12.MoveNext()
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.<RunAsync>d__4.MoveNext()
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.<RunAsync>d__4.MoveNext()
   at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.Run(IHost host)
   at Program.Main(String[] args) in D:\Program.cs:line 9

  This exception was originally thrown at this call stack:
    [External Code]
    Program.Main(string[]) in Program.cs

I have checked the file location and used openssl to open and read the pfx file with the password. I have also confirmed file permissions are correct.

 ~  openssl pkcs12 -info -in supercertificate.pfx -nodes
**Enter Import Password:**
MAC: sha1, Iteration 2000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 01 00 00 00
    friendlyName: te-e02d7385-8f7e-406c-8dde-51dbae188432
    Microsoft CSP Name: Microsoft Software Key Storage Provider
Key Attributes
    X509v3 Key Usage: 90
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDerG/71KYBKi/C
fETsPq55UWsBeigslhOpI4L8qVhycAbCgxDTXsflry+nVIDTU4Imbvlrb2lpcVCR

It seems there is an issue with the cert or loading it but I can't think what. Any help appreciated.

Mad Eddie
  • 943
  • 3
  • 12
  • 23
  • 1
    Post the full exception details instead of a screenshot. You can get the full details as text by clicking on `Copy Details` in the exception popup. There may be an inner exception that shows what access was denied. Perhaps the code tried to read from registry? Or read from a path without proper permissions? – Panagiotis Kanavos Jan 31 '23 at 10:57
  • Sorry - they got missed off - added now. – Mad Eddie Jan 31 '23 at 11:03

1 Answers1

0

we had the exact same issue at work. We could solve it by setting permissions.

Use an admin powershell and execute. icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /inheritance:r /grant Administrators:F /grant:r Everyone:RW

We found the answer here. https://stackoverflow.com/a/73409128

4Blur
  • 1
  • 1