"An Internal Error Occurred." When Loading Pfx File with X509Certificate2

  • Home
  • Languages
  • Csharp
  • "An Internal Error Occurred." When Loading Pfx File with X509Certificate2

An internal error occurred. when loading pfx file with X509Certificate2

Use the local computer store for the private key:

X509Certificate2 cert = new X509Certificate2("myhost.pfx", "pass",
    X509KeyStorageFlags.MachineKeySet);

MachineKeySet is described as "private keys are stored in the local computer store rather than the current user store". The default with no flags is to place in the user store.

Even though you are reading the certificate from disk and storing it in an object the private keys are still stored in the Microsoft Cryptographic API Cryptographic Service Provider key database. On the hosting server the ASP.NET process does not have permission to access the user store.

Another approach (as per some comments below) is to modify the IIS Configuration or App Pool identity -- which do work. However, this assumes that there is access to these configuration items which may not be the case (e.g. in a shared hosting environment).

Loading X509Certificate2 ends with An internal error occurred on Windows server 2012

If your code is running in a web application under IIS:

  1. Go to IIS Manager
  2. Go to the application pool instance
  3. Click advanced settings
  4. Under Process model, set Load User Profile to true

Else, try specifying the UserKeySet (it's possible that the PFX contains the "use the machine store" marker internally):

var path = args[0]; var password = args[1]; var certificate2 = new X509Certificate2(path, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);

Else, install the certificate on the local machine and try to load from store via thumbprint:

  • install on local machine: https://blog.powerbiz.net.au/server-2012/importing-a-pfx-certificate-into-windows-server-2012/

  • get thumbprint: https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-retrieve-the-thumbprint-of-a-certificate

  • load certificate from Certificate Store using the configured thumbprint

    string certificateThumbprint = "<...thumbprint...>"; X509Certificate2 certificate = null; using X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certificates = store.Certificates.Find(X509FindType.FindByThumbprint, certificateThumbprint, false); if (certificates.Count > 0) certificate = certificates[0];

If the above fails, then the .p12 file probably cannot be imported into Windows 2012 using the built-in Windows 2012 tools. To check that:
"For each of your PKCS #12 files, you could try the following: issue the command certutil -asn | findstr /i "pb aes des sha" (replacing "" with the name of the PKCS #12 file).

If the output starts like:

| | | | | ; 1.2.840.113549.1.12.1.3 szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES

then it should be possible to import the PKCS #12 file into Windows 2016.

If the output starts like:

| | | | | ; 1.2.840.113549.1.5.13 szOID_PKCS_5_PBES2
| | | | | | ; 1.2.840.113549.1.5.12 szOID_PKCS_5_PBKDF2
| | | | | ; 2.16.840.1.101.3.4.1.42 aes256

or similar, then the PKCS #12 file probably cannot be imported into Windows 2016 using the built-in Windows 2016 tools. You will have to recreate the PKCS #12 file using TripleDES and SHA1." - see thread: https://learn.microsoft.com/en-us/answers/questions/518605/importing-a-pkcs12-to-windows-server-2016.html

ASP.NET MVC: “An internal error occurred.” when loading certificate bytes with X509Certificate2

I found the solution here. Looks like a known issue. I used X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable flags together and problem disappeared. Other solution is to change the identity of applicationpool to LOCALSERVICE.

Problems loading a pfx file programmatically

You seem to be exporting your PFX as base64. Unlike certificates, keys, PKCS#7 blobs, and PKCS#8 blobs, PKCS#12/PFX blobs have no defined PEM header. As a consequence, the PFX reading pipeline probably doesn't have a Base64-decode attached to it.

So the simple answer is likely to emit it with the binary encoding (and thus File.WriteAllBytes()) instead of base64.

X509Certificate Constructor Exception

Turns out there's a setting in the IIS Application Pool configuration (Application Pools > Advanced Settings) to load the user profile for the application pool identity user. When set to false, the key containers aren't accessible.

So just set Load User Profile option as True

App Pool-> Advanced Settings Screen

User is logged out when loading X509Certificate2

I found the problem: I should have added in the MachineKeySet parameter in. 

_signerCert = new X509.X509Certificate2(signerPfxCertPath, signerPfxCertPassword, X509KeyStorageFlags.MachineKeySet);

Please see this post for details: "An internal error occurred." when loading pfx file with X509Certificate2


Related Topics

How to Convert a Character in to Equivalent System.Windows.Input.Key Enum Value

C# Securestring Question

How to Set Web.Config File to Show Full Error Message

Xunit.Net: Global Setup + Teardown

How to Return the Current Action in an ASP.NET MVC View

What Is the Use of Static Constructors

Dbset.Attach(Entity) VS Dbcontext.Entry(Entity).State = Entitystate.Modified

"This" in Function Parameter

Getmanifestresourcestream Returns Null

Explicit Conversion Operator Error When Converting Generic Lists

Testinitialize VS Classinitialize

Wix Service Installer Overrides Service Installer Settings

Select Folder Dialog Wpf

Validating for Large Files Upon Upload

How to Hide Wpf Datagrid Columns Depending on a Property

ASP.NET MVC Razor Render Without Encoding

The State of Linkers for .Net Apps (Aka "Please Sir, May I Have a Linker" 2009 Edition)

Run Selenium Tests in Multiple Browsers One After Another from C# Nunit


Leave a reply



Submit