Archives

December 2011 (1)
November 2011 (2)
October 2011 (5)
September 2011 (1)
July 2011 (1)
June 2011 (2)
May 2011 (1)
April 2011 (2)
March 2011 (2)
February 2011 (4)
January 2011 (7)
December 2010 (3)
November 2010 (13)
October 2010 (2)
September 2010 (4)
August 2010 (2)
July 2010 (1)
June 2010 (3)
May 2010 (3)
April 2010 (4)
March 2010 (12)
February 2010 (7)
January 2010 (4)
December 2009 (1)
November 2009 (18)
October 2009 (2)
September 2009 (4)
August 2009 (3)
July 2009 (6)
June 2009 (2)
May 2009 (7)
April 2009 (8)
March 2009 (10)
January 2009 (6)
November 2008 (16)
October 2008 (5)
September 2008 (3)
August 2008 (2)
June 2008 (1)
May 2008 (2)
April 2008 (1)
March 2008 (1)
February 2008 (2)
January 2008 (2)
December 2007 (3)
November 2007 (14)
October 2007 (2)
September 2007 (4)
August 2007 (2)
July 2007 (3)
June 2007 (5)
May 2007 (4)
April 2007 (7)
March 2007 (6)
February 2007 (11)

Other Blogs

MSDN Blogs
Dennis Doomen
The ServerSide
Blog Randal van Splunteren
Koen Willemse
Hans ter Wal

Links

C# 3.0 Coding Guidelines

Accessing a private key for a certificate

I ran into an interesting issue yesterday with trying to access the private key of a certificate. Why I needed to do that, isn’t really relevant for this post, but the trouble I ran into is something worth sharing.

First of all, you need a certificate with an exportable key: you can do so when you import the certificate into the certificate store. So far so good, this is easy. It got alot worse after that: while trying to open the certificate’s private key, I got an error saying: “Handle is invalid”. Thanks very much for this very descriptive error… What this basically means is that, in my case, the ASP.NET application does not have access the private key. Or better: the identity the application pool uses does not have access to the private key, which is stored on disk. This can be solved by downloading the Winhttpcertcfg tool from Microsoft. This tool allows you to add permissions on the private key of the certificate. You have to run the tool from the command-line (it is located in C:\Program Files\Windows Resource Kits\Tools) and specify the store, certificate issuer and the user you want to grant access to.

Example:

winhttpcertcfg -g -c LOCAL_MACHINE\MY -s <Certificate Issuer> -a <Account name>

Ok fine, the “Handle is invalid” error had disappeared, but now I got another error: “System cannot find the file specified”. Hmm, okay, another very clear error message. Thanks again, I started to wonder whether using the System.Security.Cryptography also means that you get cryptic error messages along with it. Problem was though, that my application pool was configured to use a custom account. When I switched this to the default Network Service account there wasn’t a single problem. It turned out that the RSACryptoServiceProvider class tries to access the user profile of the configured account in the application pool. But since this user has not logged in to the machine yet (and probably never will), it cannot access the directories.

You can find a more detailed explanation on this other blog site I ran into while investigating the problem: http://blogs.msdn.com/alejacma/archive/2007/12/03/rsacryptoserviceprovider-fails-when-used-with-asp-net.aspx

All that I needed to do now, was directing the RSACryptoServiceProvider instance to the machine certificate store by adding parameters with the constructor:

   1: var rsaParameters = new CspParameters

   2:                         {

   3:                             Flags = CspProviderFlags.UseMachineKeyStore

   4:                         };

   5: var rsa = new RSACryptoServiceProvider(rsaParameters);

After the change in code, everything worked just fine.

Posted on 18-03-2009 by Arnold Jan van der Burg
0 Comments | Trackback Url | Link to this post
Tags:

Links to this post

Comments

Name:

URL:

Email:

Comments:

CAPTCHA Image Validation