Troubleshooting Loading X.509 Certificates

ComponentSpace · February 20, 2014, 11:23pm

When loading X.509 certificates using the .NET X509Certificate2 class, always specify the X509KeyStorageFlags.MachineKeySet flag. This ensures the certificate may be accessed from within IIS. For example:

X509Certificate2 x509Certificate = new X509Certificate2(“idp.pfx”, “password”,
X509KeyStorageFlags.MachineKeySet);

Certificates Stored in Files
When loading a certificate from file, if an access denied exception occurs, this generally indicates a file permissions error.

Firstly, make sure the process the application is running under has permission to read the certificate file. For example, ensure the IIS_USERS group has read permission to the idp.pfx file.

If the permissions are correct for the pfx file, then the issue lies with the private key.

Private keys are stored in containers on the file system. The location of the private key container on Windows 7/8/10 and Windows Server 2008/2012/2016 is:

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

The FindPrivateKey.exe Windows SDK utility may be run to locate the private key container.

http://msdn.microsoft.com/en-us/library/aa717039.aspx

The application process must have permission to create a file in the private key container folder.

The following code dumps out a certificate:

X509Certificate2 x509Certificate = new X509Certificate2(“idp.pfx”, “password”,
X509KeyStorageFlags.MachineKeySet);

Trace.Write(x509Certificate.ToString(true));

Its output is:

[Version]
V1

[Subject]
CN=www.idp.com
Simple Name: www.idp.com
DNS Name: www.idp.com

[Issuer]
CN=www.idp.com
Simple Name: www.idp.com
DNS Name: www.idp.com

[Serial Number]
46D399D0

[Not Before]
8/28/2007 1:43:12 PM

[Not After]
8/25/2017 1:43:12 PM

[Thumbprint]
4E387A0C0B695DB05F5DFD70D2572BB0FEBB98BA

[Signature Algorithm]
md5RSA(1.2.840.113549.1.1.4)

[Public Key]
Algorithm: RSA
Length: 1024
Key Blob: 30 81 89 02 81 81 00 a3 7d 6a de 62 59 6b 25 df 66 42 c3 b8 b7 27 6a 77 3f 28 6f 91 0c 55 be 3a 56 03 3f e4 6e 6e f5 a7 b7 c5 f9 8e d8 94 4d ca 7c 21 0e 3a 4c d1 14 16 c9 26 b2 89 d4 6f 90 27 1b ec ce 09 c6 b0 6f 67 49 af c9 01 b4 23 61 7e 2f d3 b9 f6 46 05 03 63 b8 0c 4d 32 2d f8 c8 88 11 74 68 a7 6b 39 c7 81 c9 6b 00 82 19 4f 22 9e ad 0a 98 8c f2 f5 c5 10 ec 14 6a 73 a8 61 a2 ff 6a 29 cc df 27 57 99 02 03 01 00 01
Parameters: 05 00

[Private Key]
Key Store: Machine
Provider Name: Microsoft Base Cryptographic Provider v1.0
Provider type: 1
Key Spec: Exchange
Key Container Name: {7D7021F3-C4E9-44C2-BB68-ECD0517EF5FE}
Unique Key Container Name: 1cff1ca21ad134bb7e6e87ee27ff71d3_cddd8d16-473b-40eb-8c9f-9cb4b8d44d33
Hardware Device: False
Removable: False
Protected: False

Note the unique key container name. This name is different each time the certificate is loaded.

At the time the certificate is loaded, a file with the private key container name is created in the private key container (e.g. C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7D7021F3-C4E9-44C2-BB68-ECD0517EF5FE).

The application process must have permission to create files in this container.

Certificates Stored in the Windows Certificate Store
When loading a certificate from the Windows Certificate Store, if an access denied exception occurs, this generally indicates a permissions error.

Firstly, make sure the certificate is stored in the local computer store rather than the current user’s store. This ensures the certificate may be accessed from within IIS.

Select the certificate, and click the menu Action > All Tasks > Manage Private Keys.

Make sure the application process (e.g the IIS_IUSRS group) has read access.

mbonthu · December 5, 2014, 7:26am

Hi, Where does this code need to be included in the project:

X509Certificate2 x509Certificate = new X509Certificate2(“idp.pfx”, “password”,
X509KeyStorageFlags.MachineKeySet);

Does it need to be done in global.asax session start event?

ComponentSpace · December 5, 2014, 12:41pm

You only need to load X.509 certificates explicitly if you’re using the low-level SAML API. If you use the high-level SAML API then our component will load the certificate for you.
If loading the certificate then I would recommend doing this in your Global.asax at application startup. It’s better to do this once at application startup rather than multiple times at session startup.

jllaue · June 25, 2019, 12:10pm

Hi @ComponentSpace,

For Certificates Stored in Files, does the user/application process also need Modify access? Or is Read & execute, List folder contents, Read, and Write enough?

ComponentSpace · June 25, 2019, 2:03pm

Read & execute, List folder contents, Read, and Write should be all that’s required.
If you’re having issues with the file permissions, I suggest giving the everyone group full permissions and ensuring that works.
You can then remove this and give only the specific account or group full permissions and ensuring that works.
Once that’s working, change the permissions to Read & execute, List folder contents, Read, and Write only.
You could experiment by trying fewer permissions but this is the set we believe to be required.
If you get a different result, please let us know.

jllaue · June 25, 2019, 2:38pm

Thank you. We removed Modify access and things work as expected. Will let you know if anything changes.

For reference, we were running into this error:

[Error] [ComponentSpace.Saml2.SamlIdentityProvider] Initiation of SSO to the partner service provider entity_id_of_serice_provider has failed.
ComponentSpace.Saml2.Exceptions.SamlCertificateException: The X.509 certificate could not be loaded from the file D:\certificates\name_of_cert.pfx. —> System.Security.Cryptography.CryptographicException: Access denied.

at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String fileName, Object password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2…ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
at ComponentSpace.Saml2.Certificates.CertificateLoader.LoadCertificateFromFileAsync(String certificateFile, String certificatePassword)

The error is a bit misleading as access was not denied to the certificate, but rather write permission to C:\ProgramData\Microsoft\Crypto\RSA

Otherwise, the library has been working out great so far!

ComponentSpace · June 25, 2019, 3:00pm

Thanks for the update.
We rely on the .NET framework crypto API which in turn calls into the Windows crypto API.
Unfortunately, errors returned by these underlying APIs aren’t particularly descriptive.

Raphael · January 5, 2023, 4:18am

Valuable information, the private key storage folder is is however simplified or outdated.Private keys (if loaded with X509KeyStorageFlags.MachineKeySet) may also be saved at %ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys (https://learn.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval).This can be the case for keys generated by CNG’s KSP providers - it’s more complicated though - see also previous link.Be aware that such keys can cause issues anyway (“System.Security.Cryptography.CryptographicException: Invalid provider type specified.”) - at least in the older Componentspace version 2.8.6 I happened to use.

ComponentSpace · January 5, 2023, 1:15pm

Thanks for the link.