albertjan albertjan - 1 year ago 76
C# Question

Inserting Certificate (with privatekey) in Root, LocalMachine certificate store fails in .NET 4

I'm having problems inserting a new CA certificate with privatekey in the Root certificate store of the localmachine.

This is what happens:

//This doesn't help either.
new StorePermission (PermissionState.Unrestricted) { Flags = StorePermissionFlags.AddToStore }.Assert();
var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
privkey.PersistKeyInCsp = true;
//This shouldn't be necessary doesn't make a difference what so ever.
RSACryptoServiceProvider.UseMachineKeyStore = true;
cert.PrivateKey = privkey;
store.Open (OpenFlags.MaxAllowed);
store.Add (cert);
store.Close ();

The certificate gets inserted and it all looks dandy: (see!) note it says it has a private key

Note: is says it has a privatekey.

So you'd say one would be able to find it with FindPrivateKey

C:\Users\Administrator\Desktop>FindPrivateKey.exe Root LocalMachine -t "54 11 b1 f4 31 99 19 d3 5a f0 5f 01 95 fc aa 6f 71 12 13 eb"
FindPrivateKey failed for the following reason:
Unable to obtain private key file name

Use /? option for help

It's cute .... BUT IT'S WRONG!! (2 stupid dogs reference)

And the Certificate export dialog gives me this very fine message:
alt text

This code is run while impersonating an administrator using this snippet: click here

I've added the code for generating and inserting a root cert into the store here.

You'll also need this dll: here (It's BouncyCastle)

It also generates a .pfx file that if imported does work.

I'd just love to know WHY?

(tested on Windows Server 2008 R2 & Windows 7)

I'll be damned!

It works when I compile it to v3.5!!!!

What to do?

Answer Source

I had exactly the same problem and the solution turned out to be really simple. All I had to do is to pass

X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet

to X509Certificate2's ctor. Now you are using the DotNetUtilities to convert the bouncycastle certificate to the .net one, but the helper method creates the .net cert with the DefaultKeySet (instead of MachineKeySet + PersistKeySet ).

And arrange the private key like this:

var cspParams = new CspParameters
      KeyContainerName = Guid.NewGuid().ToString(),
      KeyNumber = (int)KeyNumber.Exchange,
      Flags = CspProviderFlags.UseMachineKeyStore

var rsaProvider = new RSACryptoServiceProvider(cspParams);

I hope this helps.