X509Certificate Constructor Exception

X509Certificate Constructor Exception

Turns out there's a setting in the IIS Application Pool configuration (Application Pools > Advanced Settings) to load the user profile for the application pool identity user. When set to false, the key containers aren't accessible.

So just set Load User Profile option as True

App Pool-> Advanced Settings Screen

PowerShell - Read Certificate Issuer using public key

If your $KeyCred.key stores a base64-encoded string that represents the certificate (not public key), then you can use appropriate constructor like this:

$cert = [Security.Cryptography.X509Certificates.X509Certificate2]::new([Convert]::FromBase64String($KeyCred.key))

X509Certificate2 Constructor Throwing There is not enough space on the disk

Here's what I know after many hours of research/debugging:

  • We had a logic error where we were creating a new X509Certificate2 object every time we loaded it instead of caching it
  • We got into a position of having to create these certificates way more often than we needed to

Once we solved those two problems, and followed Tip #5 from here when creating certs, we are not seeing these errors anymore. For reference, the tip is to not create these cert objects from byte arrays as temp files get created behind the scenes for you and they potentially could not get cleaned up. Instead, we are doing something like the author suggests:

var bytes = new byte[]{}; //byte array representing cert body
var file = Path.Combine(Path.GetTempPath(), "Cert" + Guid.NewGuid());
try
{
    File.WriteAllBytes(file, bytes);
    return new X509Certificate2(file, /* ...options... */);
}
finally
{
    File.Delete(file);
}

X509Certificate2 Error - System cannot find the file specified

Providing an Absolute path, rather than a Relative path did help. The intention of providing a relative path was to include the certificate as part of the artifacts, and when the application gets deployed to the server, the certificate would get written to the output path, and get read from the location.
However, while trying to test the working code, and currently, I find that only the absolute path is working, although the certificate property is set to copy always. The working code now looks like this :

filePath = @"C:\Users\<user name>\Documents\TestCompany-qa.partner.client.siriusxm.com.pfx"; 

X509Certificate2 certificate = new X509Certificate2(filePath, "****key****");

So, need to know the path in the server where the application is deployed and the certificate location, to proceed now, as the workaround solution.

Cannot find the requested object' exception while creating X509Certificate2 from string

If file.PKCS7 represents a PKCS#7 SignedData blob (what gets produced from X509Certificate2.Export(X509ContentType.Pkcs7) or X509Certificate2Collection.Export(X509ContentType.Pkcs7)) then there are two different ways of opening it:

  • new X509Certificate2(byte[])/new X509Certificate2(string)
    • The single certificate constructor will extract the signing certificate of the SignedData blob. If this was just being exported as a collection of certs, but not signing anything, there is no such certificate, and so it fails with Cannot find the original signer. (Win 2012r2, other versions could map it to a different string)
  • X509Certificate2Collection::Import(byte[])/X509Certificate2Collection::Import(string)
    • The collection import will consume all of the "extra" certificates, ignoring the signing certificate.

So if it's really PKCS#7 you likely want the collection Import (instance) method. If it isn't, you have some odd variable/field/property names.

X509Certificate2 constructor throwing Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: There is not enough space on the disk

Unless a PFX is loaded with X509KeyStorageFlags.EphemeralKeySet, the private key material is written to disk. The particular place depends on the information in the PFX, but the directories used in 99.99% of all PFX loads are documented at https://learn.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval#key-directories-and-files.

(In the 0.01% case, the PFX contents say to load the key into some other storage provider which uses some other location.)

Or, unless you're doing one of the few things that require named keys, specify EphemeralKeySet when loading the PFX.

Why do I get an Access Denied error when creating an X509Certificate2 object?

This is my best guess about what's going on.

The X509Certificate2 constructor creates temporary public/private key objects in the Machine Keys directory (I believe via the Windows local security authority). Because the our unprivileged user doesn’t have access to these keys or the Machine Keys directory, the tests fail.

Our solution was to update our environment setup scripts to install these test certificates ahead of time, grant the unprivileged user permissions to them, and re-write the tests to load the certificates from the appropriate certificate store.


Related Topics

HTML Agility Pack Strip Tags Not in Whitelist

How to Programmatically Modify Wcf App.Config Endpoint Address Setting

Sort a Custom Class List<T>

Enable Cors in Web API 2

Set Timeout to an Operation

How to "Multiply" a String (In C#)

How to Retrieve Data from a SQL Server Database in C#

Outer Variable Trap

Use Xml Includes or Config References in App.Config to Include Other Config Files' Settings

How to Create a Timer in Wpf

Memory Leak in C#

Difference Between MVC 5 Project and Web API Project

How to Remove All White Space from the Beginning or End of a String

Linq to SQL Multiple Tables Left Outer Join

Suppressing "Is Never Used" and "Is Never Assigned To" Warnings in C#

What Is the Correct Performance Counter to Get CPU and Memory Usage of a Process

"Updatesourcetrigger=Propertychanged" Equivalent for a Windows Phone 7 Textbox

What Is the Best Scripting Language to Embed in a C# Desktop Application


Leave a reply



Submit