An internal error occurred. when loading pfx file with X509Certificate2
Use the local computer store for the private key:
X509Certificate2 cert = new X509Certificate2("myhost.pfx", "pass",
X509KeyStorageFlags.MachineKeySet);
MachineKeySet
is described as "private keys are stored in the local computer store rather than the current user store". The default with no flags is to place in the user store.
Even though you are reading the certificate from disk and storing it in an object the private keys are still stored in the Microsoft Cryptographic API Cryptographic Service Provider key database. On the hosting server the ASP.NET process does not have permission to access the user store.
Another approach (as per some comments below) is to modify the IIS Configuration or App Pool identity -- which do work. However, this assumes that there is access to these configuration items which may not be the case (e.g. in a shared hosting environment).
Loading X509Certificate2 ends with An internal error occurred on Windows server 2012
If your code is running in a web application under IIS:
- Go to IIS Manager
- Go to the application pool instance
- Click advanced settings
- Under Process model, set Load User Profile to true
Else, try specifying the UserKeySet (it's possible that the PFX contains the "use the machine store" marker internally):
var path = args[0]; var password = args[1]; var certificate2 = new X509Certificate2(path, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);
Else, install the certificate on the local machine and try to load from store via thumbprint:
install on local machine: https://blog.powerbiz.net.au/server-2012/importing-a-pfx-certificate-into-windows-server-2012/
get thumbprint: https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-retrieve-the-thumbprint-of-a-certificate
load certificate from Certificate Store using the configured thumbprint
string certificateThumbprint = "<...thumbprint...>"; X509Certificate2 certificate = null; using X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certificates = store.Certificates.Find(X509FindType.FindByThumbprint, certificateThumbprint, false); if (certificates.Count > 0) certificate = certificates[0];
If the above fails, then the .p12 file probably cannot be imported into Windows 2012 using the built-in Windows 2012 tools. To check that:
"For each of your PKCS #12 files, you could try the following: issue the command certutil -asn | findstr /i "pb aes des sha" (replacing "" with the name of the PKCS #12 file).
If the output starts like:
| | | | | ; 1.2.840.113549.1.12.1.3 szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES
then it should be possible to import the PKCS #12 file into Windows 2016.
If the output starts like:
| | | | | ; 1.2.840.113549.1.5.13 szOID_PKCS_5_PBES2
| | | | | | ; 1.2.840.113549.1.5.12 szOID_PKCS_5_PBKDF2
| | | | | ; 2.16.840.1.101.3.4.1.42 aes256
or similar, then the PKCS #12 file probably cannot be imported into Windows 2016 using the built-in Windows 2016 tools. You will have to recreate the PKCS #12 file using TripleDES and SHA1." - see thread: https://learn.microsoft.com/en-us/answers/questions/518605/importing-a-pkcs12-to-windows-server-2016.html
ASP.NET MVC: “An internal error occurred.” when loading certificate bytes with X509Certificate2
I found the solution here. Looks like a known issue. I used X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable
flags together and problem disappeared. Other solution is to change the identity of applicationpool to LOCALSERVICE.
Problems loading a pfx file programmatically
You seem to be exporting your PFX as base64. Unlike certificates, keys, PKCS#7 blobs, and PKCS#8 blobs, PKCS#12/PFX blobs have no defined PEM header. As a consequence, the PFX reading pipeline probably doesn't have a Base64-decode attached to it.
So the simple answer is likely to emit it with the binary encoding (and thus File.WriteAllBytes()
) instead of base64.
X509Certificate Constructor Exception
Turns out there's a setting in the IIS Application Pool configuration (Application Pools > Advanced Settings) to load the user profile for the application pool identity user. When set to false, the key containers aren't accessible.
So just set Load User Profile
option as True
User is logged out when loading X509Certificate2
I found the problem: I should have added in the MachineKeySet parameter in.
_signerCert = new X509.X509Certificate2(signerPfxCertPath, signerPfxCertPassword, X509KeyStorageFlags.MachineKeySet);
Please see this post for details: "An internal error occurred." when loading pfx file with X509Certificate2
Related Topics
How to Convert a Character in to Equivalent System.Windows.Input.Key Enum Value
How to Set Web.Config File to Show Full Error Message
Xunit.Net: Global Setup + Teardown
How to Return the Current Action in an ASP.NET MVC View
What Is the Use of Static Constructors
Dbset.Attach(Entity) VS Dbcontext.Entry(Entity).State = Entitystate.Modified
Getmanifestresourcestream Returns Null
Explicit Conversion Operator Error When Converting Generic Lists
Testinitialize VS Classinitialize
Wix Service Installer Overrides Service Installer Settings
Validating for Large Files Upon Upload
How to Hide Wpf Datagrid Columns Depending on a Property
ASP.NET MVC Razor Render Without Encoding
The State of Linkers for .Net Apps (Aka "Please Sir, May I Have a Linker" 2009 Edition)
Run Selenium Tests in Multiple Browsers One After Another from C# Nunit