Sign Up
RelaxBuddy helps you connect and share with the people in your life.

inserting certificate with privatekey in root localmachine certificate store

I'm having issues inserting a brand new CA certificate with privatekey within the Root certificate store of the localmachine.

This is what occurs:

//This doesn't help StorePermission (PermissionState.Unrestricted) { Flags = StorePermissionFlags.AddToStore }.Assert();var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);privkey.PersistKeyInCsp = true;//This shouldn't be necessary doesn't make a difference what so ever.RSACryptoServiceProvider.UseMachineKeyStore = true;cert.PrivateKey = privkey;store.Open (OpenFlags.MaxAllowed);store.Add (cert);store.Close ();

The certificate will get inserted and all of it seems to be dandy: (see!) notice it says it has an individual key

Note: is says it has a privatekey.

So you would say one would have the ability to seek out it with FindPrivateKey

C:\Users\Administrator\Desktop>FindPrivateKey.exe Root LocalMachine -t "54 11 b1 f4 31 99 19 d3 5a f0 5f 01 95 fc aa 6f 71 12 13 eb"FindPrivateKey failed for the following reason:Unable to obtain private key file nameUse /? option for help

It's adorable .... BUT IT'S WRONG!! (2 dull canines reference)

And the Certificate export conversation provides me this very superb message:alt textual content

This code is administered whilst impersonating an administrator the usage of this snippet: click on right here

I've brought the code for producing and inserting a root cert into the shop right here.

You'll additionally want this dll: right here (It's BouncyCastle)

It additionally generates a .pfx record that if imported does paintings.

I'd similar to to grasp WHY?

(examined on Windows Server 2008 R2 & Windows 7)

I'll be damned!

<robust>It works once I collect it to v3.five!!!!

What to do?

#c #net40 #certificate #x509certificate #bouncycastle
Last update on March 22, 1:55 am by lincoln6518.
Do you tried to use suggestion from my answer? Is it work? Do you have any questions or comments?
  • November 19, 2016
  • ·
did you ever solve this? I'm trying to fix something similar right now, thanx!
  • November 19, 2016
  • ·
@TJB No I didn't I made a little commandline app in .net v3.5 where it did work. I posted it on microsoft connect but I don't think it's very high on their priority list.
  • November 19, 2016
  • ·

I had precisely the similar downside and the answer grew to become out to be truly easy. All I needed to do is to cross

X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet

to X509Certificate2's ctor.Now you're the usage of the DotNetUtilities to transform the bouncycastle certificate to the .internet one, however the helper manner creates the .net cert with the DefaultKeySet (as an alternative of MachineKeySet + PersistKeySet).

And organize the non-public key like this:

var cspParams = new CspParameters{ KeyContainerName = Guid.NewGuid().ToString(), KeyNumber = (int)KeyNumber.Exchange, Flags = CspProviderFlags.UseMachineKeyStore};var rsaProvider = new RSACryptoServiceProvider(cspParams);

I wish here is helping.

Last update on March 22, 1:55 am by gerry7448.
I'll look into it. I have tried something like this but not or-ing them . Thanks!
  • November 19, 2016
  • ·
Thanks you were absolutely right. Better late then never right
  • November 19, 2016
  • ·
I also had to do this:
  • November 19, 2016
  • ·

It turns out to me it's important to import the important thing in a bit opposite direction. See for an instance.

Moreover I to find now not just right to save lots of personal key in UseMachineKeyStore. In essentially the most cases you wish to have import certificate with the non-public key in My store of a few user and import in Root most effective certificate without private key.

It you do need save private key on Machine key store, that you're going to likely want to no less than give protection to the key for reading only for some selected users and not from Everyone. The key container is just a file in the file system (see files in the diriectory "%ALLUSERSPROFILE%\Microsoft\Crypto\Keys") which has security descriptors like other files in NTFS. To change security descriptors of the files you'll be able to make use of CspKeyContainerInfo.CryptoKeySecurity property and AddAccessRule, RemoveAccessRule and so forth.

<robust>UPDATED: First of all sorry for the lengthy resolution.

I may just divide your program code in two portions. In the primary part you generate a self-signed certificate that are utilized as a CA certificates and you reserve it as rootcert.pfx file. In the second one part you import the certificate, but use RSACryptoServiceProvider full of properties of previous created key as an alternative of the use of rootcert.pfx.

I suggest to switch the second one a part of your code to more usual and simple code: import certificate with the non-public key from rootcert.pfx find it irresistible described in http://make It works really well.

I do not use myself the BouncyCastle, so I couldn't comment the primary a part of your code, however on the whole what you do within the code you might want to do additionally with respect of MakeCert.exe software from the Windows SDK. You can do like following

MakeCert.exe -pe -ss MY -a sha1 -cy authority -len 2048 -m 120 -r -# 1 -n "CN=Some Root CA, C=NL, OU=BleedingEdge, ST=Somewhere, L=Somelane"

Then you can export certificate without or with private key with respect of Certificate Snap-In (for mmc.exe). In the example above I do not restrict CA for some special EKU, so you should use it with none restriction, but when you happen to do need the limitations you can just add additional parameters to MakeCert.exe. You too can use MakeCert.exe to create other certificate which can be signed with the CA certificate. So you'll be able to make small PKI with respect of MakeCert.exe only.

It turns out to me that growing of the certificate is in reality a separate a part of your code. Your major drawback is within the second one part.

If you wish to have import CA certificate it's important to absorb attention a few important issues:

  • You should import it in Root or AuthRoot in localMachine on every (or many) computer of your organization, but you should import the certificate without the private key. You can do this with respect of following

CertMgr.exe -upload -c CA.cer -s -r localMachine AuthRoot

  • You should import CA certificate with private key on the computer on one computer and only for the user who will issue other certificates (who will sign new certificates with the private key of CA). One use to import the certificate in the My certificate store of CurrentUser. So the code on the computer could looks like


// import PFXX509Certificate2 cert = new X509Certificate2 (@"c:\Oleg\rootcert.pfx", "password", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);// save certificate and private keyX509Store storeMy = new X509Store (StoreName.My, StoreLocation.CurrentUser);storeMy.Open (OpenFlags.ReadWrite);storeMy.Add (cert);// get certificate without private key// one can import certificate from rootcert.cer insteadbyte[] certBlobWithoutPrivateKey = cert.Export (X509ContentType.Cert);// save pure certificate in Root of the local machineX509Certificate2 certWithoutPrivateKey = new X509Certificate2 (certBlobWithoutPrivateKey);X509Store storeRoot = new X509Store (StoreName.Root, StoreLocation.LocalMachine);storeRoot.Open (OpenFlags.ReadWrite);storeRoot.Add (certWithoutPrivateKey);

The code will paintings for those who do will amendment StoreName.My and StoreLocation.CurrentUser to some other values, however I do not counsel you to do that.

In general importing of certificates in .NET code appear to be a bit of peculiar and not shows what is going to be done under the hood. Windows knows only Key Containers where private keys (to be exactly the important thing pair) will likely be saved with respect of CSP and Certificate Stores where certificates will be saved (see about location of the store). To be able to save details in regards to the key container within the certificate store Microsoft introduced so named Certificate Extended Properties. If you use in .NET properties of X509Certificate2 like Thumbprint, FriendlyName, HasPrivateKey, Archived and so forth you work with the Extended Properties of the certificate. So I recommend you to import CA certificate twice. One in Root or AuthRoot without setting CERT_KEY_PROV_INFO_PROP_ID Certificate Extended Properties and one more time in My store with the setting of information about the place of Key Container with the private key (CERT_KEY_PROV_INFO_PROP_ID). Moreover you'll be able to imagine to take away private key straight away after the usage, import it provided that you in reality wish to make use of it and not hold it permanently. All that is very important to have better security.

Last update on March 22, 1:55 am by daryl7671.
All good advice but I really think you should have read my question a bit better I'm not importing a pfx file I'm generating and inserting a certificate in code. I do tell the private key to persist in the CSP the problem is it doesn't It look like it. If you don't tell the privatekey to persist it ...
  • November 19, 2016
  • ·
@the_ajp: Probably there are understanding problem what you want to do. Moreover you use words like "inserting certificate" or "inserting a certificate in code" which is not a standard terminology. There are "generate a key par and the corresponding certificate" and "import a certificate with or wit...
  • November 19, 2016
  • ·
Moreover mostly you need to have Root Certificate without private key on many computers and have the certificate with private key on one computer where you will do signing with the certificate. Better I'll update my answer to describe how I understand your possible problems.
  • November 19, 2016
  • ·

I actually have encountered this drawback and it sort of feels that even the user with which you might be running the FindPrivateKey tool does no longer have get admission to to the important thing and subsequently you could get the "Unable to procure private key file name" message. You could run the tool as LocalSystem process.

More data right here:


Last update on March 22, 1:56 am by hank3553.
  • January 1, 1970
  • ·

new X509Certificate2(localPFXPath, inputPass, X509KeyStorageFlags.MachineKeySet & X509KeyStorageFlags.PersistKeySet); with the & as a substitute of the | labored for me.

Last update on March 22, 1:56 am by antonio5143.
  • January 1, 1970
  • ·
All times are GMT. The time now is 12:11 am.