Can't load certificate from string

Hi,
I’m trying to load a certificate stored in the database. The form of the certificate is the usual PEM format with the BEGIN CERTIFICATE and END CERTIFICATE and the line breaks.

Something like this (the sample idp.cer)

-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIQdPDr/iI1jbhDMTj5VYya+TANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDEwt3d3cuaWRwLmNvbTAeFw0xMzExMjIwODIwNTJaFw00OTEyMzEx
NDAwMDBaMBYxFDASBgNVBAMTC3d3dy5pZHAuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAi0XJRLDrcbSyqUd8XG4BgxObQMYLAkENlmJOsAEpl1xM
abUiq1X4v0Fc8ZaCpUE3fFGENMEWgBjnQUUE0WtVUh5JPMsukolf9qljbJkCkvHX
H3O4Uen7vA2oNQWt4bK96SpXADpZKFvpk4D7btKOgU/NamjiqwHI4fI8kFJKwKBJ
chRPUQdC4ljRRmGIrSnpY+t25/d3KGXwbe9Z2MGGy2hyA0tgOWuchIK+1vAKKBUh
9nDEXfr80+xW680w5TqHyDcqbWvQsXXhH0yZLfINKNS6/IojHPsBy7tf36Ck9H5P
w+1PPu6NzBFSz5ZkC8KzrS6vuZXc/ImYrnheMQsqqQIDAQABo0swSTBHBgNVHQEE
QDA+gBD4dY4MCPEmG4sxZrcni8vtoRgwFjEUMBIGA1UEAxMLd3d3LmlkcC5jb22C
EHTw6/4iNY24QzE4+VWMmvkwDQYJKoZIhvcNAQELBQADggEBABhak2aR84MCdyXO
4AKOQvZybsCMdhRq2i1i0WhD4/xe7Ry5haC6TeXIp8Q4cC3MzsrDal74xHI714BW
0loafpHAsXfd9EvkKTVaJ+1Zpe16+SsTL4upS1cGydigqwUzsdpGck4wI1moJ947
7O+46If2gF27u9Cdk7Onxe/5dwLIxWmkVRdbQIH5GsKUeAjOdRQmy+X1MX6KyRoa
CwWGYwxi5Sa+r+3AtDvD4BX0EJGKFZeeM3J/yMpYh/75aN0cFQfDEdJ7C5NE0von
idE0QtIFvsoWtZUtur2fiW7yBxse38TPQsi2r6A6c/TZsZ5bq31yh3gr3kSN62H8
iVKLQLA=
-----END CERTIFICATE-----

When I retrieve it and load it in the configuration, the ReceiveSsoAsync fails with “The X.509 certificate could not be loaded from the string”. The inner exception is “The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.” so it looks like it’s using the Base64 converter.

So what’s the right way to retrieve the certificate from the string and load it in the configuration? Should it not be in the string format like it is in the file? The clients will be copying and pasting the certificate in our application (we’re the service provider) and we want them to be able to see it again when they want in the same format.

Hope you can help,

Thanks!

We expect the string to be the base-64 encoded certificates bytes only without the -----BEGIN/END CERTIFICATE-----.

For the time being, I suggest stripping the -----BEGIN/END CERTIFICATE----- prior to supplying the string to our API.

We may look at adding support for stripping these in a future release.

[quote]
ComponentSpace - 3/10/2020
We expect the string to be the base-64 encoded certificates bytes only without the -----BEGIN/END CERTIFICATE-----.

For the time being, I suggest stripping the -----BEGIN/END CERTIFICATE----- prior to supplying the string to our API.

We may look at adding support for stripping these in a future release.
[/quote]

Thanks for the quick response.

Rather than doing my own parsing and logic to remove the beginning and ending tags if they add them to their cert I'm doing this
Convert.ToBase64String(new X509Certificate2(Encoding.ASCII.GetBytes(certificateString)).RawData)

The X509Certificate2 does that removal for me!

Good to know. Thanks for sharing.

[quote]
br1003 - 3/10/2020
Hi,
I'm trying to load a certificate stored in the database. The form of the certificate is the usual PEM format with the BEGIN CERTIFICATE and END CERTIFICATE and the line breaks.

Something like this (the sample idp.cer)

-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIQdPDr/iI1jbhDMTj5VYya+TANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDEwt3d3cuaWRwLmNvbTAeFw0xMzExMjIwODIwNTJaFw00OTEyMzEx
NDAwMDBaMBYxFDASBgNVBAMTC3d3dy5pZHAuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAi0XJRLDrcbSyqUd8XG4BgxObQMYLAkENlmJOsAEpl1xM
abUiq1X4v0Fc8ZaCpUE3fFGENMEWgBjnQUUE0WtVUh5JPMsukolf9qljbJkCkvHX
H3O4Uen7vA2oNQWt4bK96SpXADpZKFvpk4D7btKOgU/NamjiqwHI4fI8kFJKwKBJ
chRPUQdC4ljRRmGIrSnpY+t25/d3KGXwbe9Z2MGGy2hyA0tgOWuchIK+1vAKKBUh
9nDEXfr80+xW680w5TqHyDcqbWvQsXXhH0yZLfINKNS6/IojHPsBy7tf36Ck9H5P
w+1PPu6NzBFSz5ZkC8KzrS6vuZXc/ImYrnheMQsqqQIDAQABo0swSTBHBgNVHQEE
QDA+gBD4dY4MCPEmG4sxZrcni8vtoRgwFjEUMBIGA1UEAxMLd3d3LmlkcC5jb22C
EHTw6/4iNY24QzE4+VWMmvkwDQYJKoZIhvcNAQELBQADggEBABhak2aR84MCdyXO
4AKOQvZybsCMdhRq2i1i0WhD4/xe7Ry5haC6TeXIp8Q4cC3MzsrDal74xHI714BW
0loafpHAsXfd9EvkKTVaJ+1Zpe16+SsTL4upS1cGydigqwUzsdpGck4wI1moJ947
7O+46If2gF27u9Cdk7Onxe/5dwLIxWmkVRdbQIH5GsKUeAjOdRQmy+X1MX6KyRoa
CwWGYwxi5Sa+r+3AtDvD4BX0EJGKFZeeM3J/yMpYh/75aN0cFQfDEdJ7C5NE0von
idE0QtIFvsoWtZUtur2fiW7yBxse38TPQsi2r6A6c/TZsZ5bq31yh3gr3kSN62H8
iVKLQLA=
-----END CERTIFICATE-----

When I retrieve it and load it in the configuration, the ReceiveSsoAsync fails with "The X.509 certificate could not be loaded from the string". The inner exception is "The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters." so it looks like it's using the Base64 converter.

So what's the right way to retrieve the certificate from the string and load it in the configuration? Should it not be in the string format like it is in the file? The clients will be copying and pasting the certificate in our application (we're the service provider) and we want them to be able to see it again when they want in the same format.

Hope you can help,

Thanks!
[/quote]

This helped solve an saml SSO issue with a completely unrelated product Enplug for me. Thank you for posting this.

You’re welcome.