CryptographicException: Invalid provider type specified only in WebAPI project
The most likely reason for this exception is that certificate's private key is stored in modern CNG Key Storage Provider rather than legacy CAPI Cryptographic Service Provider. At the moment of this response Azure Key Vault has known compatibility issues with CNG, so you should try to generate a new certificate and select legacy CAPI CSP to store key material.
Invalid provider type specified one more time
New-SelfSignedCertificate
cmdlet uses key storage provider by default. Most of .NET Framework (X509Certificate2
specifically) do not support CNG keys. As the result, when you create X509Certificate2
instance from certificate with private key stored in CNG, get
accessor on PrivateKey
property throws exception:
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
I believe, you don't own the code that calls getter on PrivateKey
, therefore, you need to re-create your certificate by explicitly providing legacy provider name in the -Provider
parameter in New-SelfSignedCertificate
cmdlet call. For example, you can use microsoft enhanced rsa and aes cryptographic provider
provider as a parameter value.
Azure cannot access certificate PrivateKey Invalid provider type specified
The provider that worked for the previous certificate no longer works for the new certificate. I have a hunch something is wrong with the encryption because the Bag Attributes contained no LocalKeyID information, but I cannot say for sure.
Anyway, changing the provider to "Microsoft Platform Crypto Provider" made the private key accessible in Azure. Using OpenSSL:
First export the .key and the public .pem part from the .pfx file;
openssl pkcs12 -in cert.pfx -out cert_publicpart.pem -nokeys
openssl pkcs12 -in cert.pfx -out cert_privatekey.key -nocerts
If it's encrypted it will ask for your password after each command.
Then, convert it back to a .pfx specifying the provider;
openssl pkcs12 -export -in cert_publicpart.pem -inkey cert_privatekey.key -out cert_newCSP.pfx -CSP "Microsoft Platform Crypto Provider"
Again, specify a password and the new .pfx should be good to go!
Optional, if you'd want to verify the CSP:
openssl pkcs12 -in "cert_newCSP.pfx" -out "cert_newCSP.pem"
Open the .pem file, find -----BEGIN ENCRYPTED PRIVATE KEY-----
and look for Microsoft CSP Name: Microsoft Platform Crypto Provider
right above that.
Invalid provider type specified. CryptographicException
Microsoft support helped me out with this line
$myCertThumbprint = (New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My
-subject MyCert -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(10)
-Type CodeSigningCert -KeySpec Signature).Thumbprint
The AuthClientId and AuthCertThumbprint values I need for the HelloKeyVault app.config are created.
The AuthClientId displays in the portal as the Application ID and is vissible in the Registered app settings.
To get to it click Azure Active Directory -> App registrations
Then click View all applications
click on the application then settings
To see the Thumbprint doe the same and then click Keys
I can see AuthClientId
Related Topics
How to Get Status Code from Webclient
Programmatically Get Summary Comments at Runtime
How to Open a Serial Port by Friendly Name
How to Multiple Insert Multiple Records
How to Copy the Contents of a String to the Clipboard in C#
Wait for File to Be Freed by Process
An Expression Tree May Not Contain a Call or Invocation That Uses Optional Arguments
Using Moq to Determine If a Method Is Called
Efficiently Get Full JSON String in JSONconverter.Readjson()
Create a .Txt File If Doesn't Exist, and If It Does Append a New Line
Vb.Net Equivalent to C# Var Keyword
What Is Myassembly.Xmlserializers.Dll Generated For
What Happens If I Return Before the End of Using Statement? Will the Dispose Be Called