runtime: WindowsCryptographicException trying to read certificate from file

I have a problem adding the client certficate (that is included in the project) on my production environment. It works locally so I guess it is somehow machine related and also it works on our test server. It is trying to import the certificate file as seen below and I have no real help from the error message. I have tried adding more permission to the application pool user as well as file level permissions.

Any ideas on what could be the cause? Or should I rewrite something?

Production server is Windows 2012 R2.

The error I get is:

WindowsCryptographicException: An internal error occurred
Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, string fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
System.Security.Cryptography.X509Certificates.X509Certificate..ctor(string fileName, string password, X509KeyStorageFlags keyStorageFlags)

ChannelFactory<BolagsverketServiceReference.XMLProdukt> factory = null;
            BolagsverketServiceReference.XMLProdukt serviceProxy = null;
            BasicHttpsBinding binding = null;

            binding = new BasicHttpsBinding(BasicHttpsSecurityMode.Transport);
            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;

            factory = new ChannelFactory<BolagsverketServiceReference.XMLProdukt>(binding, new EndpointAddress("https://eservice.bolagsverket.se/services/XMLProdukt"));

            var pathToFile = hostingEnvironment.ContentRootPath
            + Path.DirectorySeparatorChar.ToString()
            + "certificates"
            + Path.DirectorySeparatorChar.ToString()
            + "something.p12";



            factory.Credentials.ClientCertificate.Certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(pathToFile, "hiddenpassword", X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.PersistKeySet);
            serviceProxy = factory.CreateChannel();
            return serviceProxy;

.Net/EF Core 2.0.0 VS 2017 15.3-latest Win 10

About this issue

Original URL
State: closed
Created 7 years ago
Reactions: 1
Comments: 15 (4 by maintainers)

Most upvoted comments

Setting up X509Store may help.

   private X509Certificate2 GetMyX509Certificate(string path, string password)
    {
        try
        {
            X509Store store = new X509Store("My", StoreLocation.CurrentUser);
            X509Certificate2 cert;
                cert = new X509Certificate2(File.ReadAllBytes(path), password, X509KeyStorageFlags.MachineKeySet);
                bool result = cert.Verify();
                var r2 = result;
            return cert;
        }
        catch (Exception ex)
        {
            Console.Out.WriteLine("ErrorGettingCertificate in base:" + ex.Message);
            return null;
        }
    }

+14

wparzych on Aug 1, 2018

Changing from X509KeyStorageFlags.DefaultKeySet to X509KeyStorageFlags.MachineKeySetfixed it for me.

ruant on Mar 7, 2019

@johanskoldekrans Sorry to have missed the reply a while ago. If you haven’t managed to get this to work yet you might instead/also want to try specifying the UserKeySet flag. It’s possible that the PFX contains the “use the machine store” marker internally and that even with the EphemeralKeySet flag something is not adding up inside the importer.

And if that doesn’t work, try MachineKeySet | EphemeralKeySet. (MachineKeySet without EphemeralKeySet should definitely be a permissions problem for ApplicationPoolIdentity)

bartonjs on Jan 10, 2018

@wparzych Why does the X509Store initialization matter? You’re not referencing it.

masterwok on Feb 27, 2019

@wparzych Thanks, that did it for me… this is really odd shouldn’t this be open?

to clarify I am running a docker image based on microsoft/dotnet:2.2-sdk-nanoserver-1803 and just trying to import the cert

Tarig0 on Dec 26, 2018