Inserting Certificate (with privatekey) in Root, LocalMachine certificate store fails in .NET 4

albertjan picture albertjan · Sep 2, 2010 · Viewed 23.2k times · Source

I'm having problems inserting a new CA certificate with privatekey in the Root certificate store of the localmachine.

This is what happens:

//This doesn't help either.
new StorePermission (PermissionState.Unrestricted) { Flags = StorePermissionFlags.AddToStore }.Assert();
var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
privkey.PersistKeyInCsp = true;
//This shouldn't be necessary doesn't make a difference what so ever.
RSACryptoServiceProvider.UseMachineKeyStore = true;
cert.PrivateKey = privkey;
store.Open (OpenFlags.MaxAllowed);
store.Add (cert);
store.Close ();

The certificate gets inserted and it all looks dandy: (see!) note it says it has a private key

Note: is says it has a privatekey.

So you'd say one would be able to find it with FindPrivateKey

C:\Users\Administrator\Desktop>FindPrivateKey.exe Root LocalMachine -t "54 11 b1 f4 31 99 19 d3 5a f0 5f 01 95 fc aa 6f 71 12 13 eb"
FindPrivateKey failed for the following reason:
Unable to obtain private key file name

Use /? option for help 

It's cute .... BUT IT'S WRONG!! (2 stupid dogs reference)

And the Certificate export dialog gives me this very fine message: alt text

This code is run while impersonating an administrator using this snippet: click here

I'd just love to know WHY?

(tested on Windows Server 2008 R2 & Windows 7)

I'll be damned!

It works when I compile it to v3.5!!!!

What to do?

Answer

Krassi picture Krassi · Jun 23, 2011

I had exactly the same problem and the solution turned out to be really simple. All I had to do is to pass

X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet

to X509Certificate2's ctor. Now you are using the DotNetUtilities to convert the bouncycastle certificate to the .net one, but the helper method creates the .net cert with the DefaultKeySet (instead of MachineKeySet + PersistKeySet ).

And arrange the private key like this:

var cspParams = new CspParameters
{
      KeyContainerName = Guid.NewGuid().ToString(),
      KeyNumber = (int)KeyNumber.Exchange,
      Flags = CspProviderFlags.UseMachineKeyStore
};

var rsaProvider = new RSACryptoServiceProvider(cspParams);

I hope this helps.