Hi,
I am loading a private .pfx key using the X509Certificate2 class by the
following line

X509Certificate2 x509 = new X509Certificate2(PrivateKeyFile,
PrivateKeyPassword);

where PrivateKeyFile and PrivateKeyPassword are strings.
This perfectly works on my computer with windows XP home and Visual Web
Developer Express.
But, when I upload this code to the production Windows Server 2003
Standart edition, the code throws the exception

System.Security.Cryptography.CryptographicException: The system cannot
find the file specified.

I am sure the file path PrivateKeyFile is correct, though I try to use
an alternative where I load the private key into a byte array and then
calling the X509Certificate2 directly on this array.

byte[] klic = File.ReadAllBytes(PrivateKeyFile);
X509Certificate2 x509 = new X509Certificate2(klic, PrivateKeyPassword);


The key file is read correctly, but the certificate construcotr throws
the same exception


System.Security.Cryptography.CryptographicException: The system cannot
find the file specified.


System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32
hr) +33

System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[]
rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet,
SafeCertContextHandle& pCertCtx) +0
System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[]
rawData, Object password, X509KeyStorageFlags keyStorageFlags) +194

System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[]
rawData, String password) +134
   Muzo.Sign(String text) in
d:\weby\kvetiny-kytice.cz\3dplatba\App_Code\Muzo.cs:71
   Muzo.CreateOrder(Page page, String orderNumber, String amount,
String depositFlag, String merOrderNum, String url, String description,
String md) in d:\weby\kvetiny-kytice.cz\3dplatba\App_Code\Muzo.cs:42
   user_redirect_muzo.Page_Load(Object sender, EventArgs e) in
d:\weby\kvetiny-kytice.cz\3dplatba\user-redirect-muzo.aspx.cs:16
   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object
o, Object t, EventArgs e) +15
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object
sender, EventArgs e) +34
   System.Web.UI.Control.OnLoad(EventArgs e) +99
   System.Web.UI.Control.LoadRecursive() +47
   System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
+1061


It is strange because there is no file to open in this case.

The version of NET is 2.0.50727 on both computers.

Any suggestions?

Mirek.

We made some new experiments regarding this problem, and found out some
new and very strange facts.

When the website runs under some user account and this user is logged
in through terminal service, the X509Certificate2 works well.
But when this user logs out, it stops working even if the website
webserver still runs under this user.
A temporary solution is possible by running an arbitrary program
(calc.exe) by the same user as the website webserver runs under. This
program is started by the scheduler at the system startup.

It seems to me like a bug in Windows 2003. Or am I wrong?

Mirek.

yes it sounds like an acl issue. Don't have WinServer 2003 so can't check.
- Mitch

Show quoteHide quote

If this is a bug, is there some email adress at Microsoft to report it?
Mirek.

sounds like you are using the user store for certs??

show me how you construct the X509Store

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Show quoteHide quote

I don't use the user store for keys. I just load the key from a file by


byte[] klic = File.ReadAllBytes(PrivateKeyFile);
X509Certificate2 x509 = new X509Certificate2(klic, PrivateKeyPassword);

and this fails on Windows 2003.

BTW, could you please give me some links to some good information about
using the key store?

Mirek.

Check out the version of the constructor which takes the X509KeyStorageFlags enum value. When we ran into this problem on Windows 2003 Server we had success using this constructor and passing in X509KeyStorageFlags.MachineKeySet for the flag value.

As another side note, we also found strange behavior with loading certificates from .pfx files that have no password. In our case we found that passing in "" empty string instead of not specifying a password is my reliable on Windows 2003 Server and Windows XP however both seem to work fine on Vista.

Currently this same issue however has reared it's ugly head on two machines and at this point it is sort of mysterious to why it is occuring only for these two machines.

It's too bad that working with stand alone certificates that are not in any store seems to be so iffy. From http://www.developmentnow.com/g/46_2006_3_0_0_727204/Strange-problem-with-X509Certificate2-on-Windows-2003.htm Posted via DevelopmentNow.com Groups http://www.developmentnow.com/g/

How to troubleshoot 401 error when connecting using NetworkCredent
.NET app on a shared directory.
if I encrypt key data why do I want or need SSL?
ClickOnce and remembering permissions granted
Tightening the default CAS policy
Security issue running unmanaged code in a win form ctrl hosted in
How to encrypt a string with ProtectedData (.NET 2.0)
JavaScience CD versus book
Trying to grant full trust..... (.NET 2.0)
Rights to get Data for Crystal reports