Geek Answers Handbook

An exception occurred while trying to read PrivateKey from a Windows Certification Authority

I created a pair of private and public keys using OpenSSL, and then I generated a .p12 file to import it into my certstore for Windows. The key pairs and .p12 were created in Windows XP, and I am trying to use it in Windows 7. I am trying to access the key from a web service (.svc) in IIS. If I try to read the private key from a standalone application, I can do it without any problems, but when I try to read it from my web application, I always get the following exception:

'cert.PrivateKey' threw an exception of type 'System.Security.Cryptography.CryptographicException'

And this is the whole stack:

 en System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) en System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) en System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() en System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) en System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() en ValidKeyDll.ValidKey.getLlaveDeAlmacen(String almacen, Boolean esLlavePrivada) en C:\Users\desarrollo\Documents\ValidKeyDll\ValidKeyDll\ValidKey.cs:lรญnea 58 en ValidKeyDll.ValidKey.firmaCadena(String almacen, String cadenaFirmar) en C:\Users\desarrollo\Documents\ValidKeyDll\ValidKeyDll\ValidKey.cs:lรญnea 117

And this is my part of the code that reads the key:

 X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); RSACryptoServiceProvider csp = null; foreach (X509Certificate2 cert in store.Certificates) { if (cert.Subject.Contains(almacen)) { if (cert.NotAfter.CompareTo(System.DateTime.Now) <= 0) throw new CertificadoVencidoException(); if (isPrivateKey) csp = (RSACryptoServiceProvider)cert.PrivateKey; else csp = (RSACryptoServiceProvider)cert.PublicKey.Key; break; } }

I believe that this is due to some kind of resolution problem, but I do not know what it is ... Please, if anyone has any suggestions, we will be very grateful.

THINGS TO CONSIDER:

  • The private key IS is exported.
  • User IIS_IUSRS has certificate permissions.
+4
source share
2 answers

I finally solved the problem, but couldn't post the answer so far (because I'm starting):

The fact is that I imported .p12 incorrectly. I double-clicked it and followed the steps. This was done to put the certificate in the Current User-Personal certificate store, so I thought that just moving the certificate from this store to the Local Machine store was enough ... but unexpected! did not have. After a large revision, I found that IIS has the ability to import certificates from itself, and this puts the certificate directly in the certificate store of the local machine. If someone has some kind of problem or just wants to see how to do it, follow these steps:

  • Open IIS.
  • Go to server certificates (sorry if you didnโ€™t find the exact words, my Windows is in Spanish)
  • Choose Import
  • Select a file. If your file is .p12, like mine, then select to view *. *
  • enter password
  • Accept ... and voilรก
+4
source

Yes, this is a permission issue. Some time ago I struggled with this. I am currently using winhttpcertcfg to add the appropriate permissions.

You should also check this link: http://benoit808.wordpress.com/2008/10/31/cryptographicexception-the-handle-is-invalid/ .

There is also an article about this http://www.stevefenton.co.uk/Content/Blog/Date/201101/Blog/X509-Certificates-On-Windows-Server-2003/ . You may also need to add permissions for the IIS_WPG and IUSR accounts (this article does not mention this).

+1
source

More articles:


All Articles