Inserting Certificate (with privatekey) in Root, LocalMachine certificate store fails in .NET 4

c# .net-4.0 certificate x509certificate bouncycastle
albertjan picture albertjan · Sep 2, 2010 · Viewed 23.2k times · Source

I'm having problems inserting a new CA certificate with privatekey in the Root certificate store of the localmachine.

This is what happens:

//This doesn't help either.
new StorePermission (PermissionState.Unrestricted) { Flags = StorePermissionFlags.AddToStore }.Assert();
var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
privkey.PersistKeyInCsp = true;
//This shouldn't be necessary doesn't make a difference what so ever.
RSACryptoServiceProvider.UseMachineKeyStore = true;
cert.PrivateKey = privkey;
store.Open (OpenFlags.MaxAllowed);
store.Add (cert);
store.Close ();

The certificate gets inserted and it all looks dandy: (see!) note it says it has a private key

Note: is says it has a privatekey.

So you'd say one would be able to find it with FindPrivateKey 

C:\Users\Administrator\Desktop>FindPrivateKey.exe Root LocalMachine -t "54 11 b1 f4 31 99 19 d3 5a f0 5f 01 95 fc aa 6f 71 12 13 eb"
FindPrivateKey failed for the following reason:
Unable to obtain private key file name

Use /? option for help

It's cute .... BUT IT'S WRONG!! (2 stupid dogs reference)

And the Certificate export dialog gives me this very fine message: alt text

This code is run while impersonating an administrator using this snippet: click here

I'd just love to know WHY?

(tested on Windows Server 2008 R2 & Windows 7)

I'll be damned!

It works when I compile it to v3.5!!!!

What to do?

Answer

Krassi picture Krassi · Jun 23, 2011

I had exactly the same problem and the solution turned out to be really simple. All I had to do is to pass

X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet

to X509Certificate2's ctor. Now you are using the DotNetUtilities to convert the bouncycastle certificate to the .net one, but the helper method creates the .net cert with the DefaultKeySet (instead of MachineKeySet + PersistKeySet ).

And arrange the private key like this:

var cspParams = new CspParameters
{
      KeyContainerName = Guid.NewGuid().ToString(),
      KeyNumber = (int)KeyNumber.Exchange,
      Flags = CspProviderFlags.UseMachineKeyStore
};

var rsaProvider = new RSACryptoServiceProvider(cspParams);

I hope this helps.

Related questions

What is the best way to implement a "timer"?

What is the best way to implement a timer? A code sample would be great! For this question, "best" is defined as most reliable (least number of misfires) and precise. If I specify an interval of 15 seconds, I want the …

Read More
An ASP.NET setting has been detected that does not apply in Integrated managed pipeline mode

I Installed DotNetOpenAuth SDK-3.4.5.10201.vsix and I can't get it working. It works locally (when I run as localhost) but when i try to publish it ain't working. The IIS error message I get is Error Summary HTTP Error 500.22 - …

Read More
How to easily initialize a list of Tuples?

I love tuples. They allow you to quickly group relevant information together without having to write a struct or class for it. This is very useful while refactoring very localized code. Initializing a list of them however seems a bit …

Read More