WIF failing to resolve private key

Question

I have an ASP.NET MVC 4.0 web app that uses WIF.  The WIF service encryption cert is set in web.config.  The cert is a self signed cert that is located in LocalMachine/Personal.  Its also in the Trusted Root Cert Auth store.   Currently running my code in VS2010 on Windows7x64 as an impersonated domain user.   The impersonated user is a local admin on my development box.   I ran the MMC cert snapin and granted permissions to the impersonated user.  WIF does sucessfully load the certificate but it fails when resolving the private key.  Here is the failing WIF code and corresponding exception.

internal static RSA EnsureAndGetPrivateRSAKey(X509Certificate2 certificate)
    {
      AsymmetricAlgorithm privateKey;
      if (!certificate.HasPrivateKey)
      {
        throw DiagnosticUtil.ExceptionUtil.ThrowHelperError(new ArgumentException(Microsoft.IdentityModel.SR.GetString("ID1001", new object[] { certificate.Thumbprint })));
      }
      try
      {
        privateKey = certificate.PrivateKey;  //code throws CryptographicException here because the impersonated user can't resolve the private key
      }
      catch (CryptographicException exception)
      {
        throw DiagnosticUtil.ExceptionUtil.ThrowHelperError(new ArgumentException(Microsoft.IdentityModel.SR.GetString("ID1039", new object[] { certificate.Thumbprint }), exception));
      }
      RSA rsa = privateKey as RSA;
      if (rsa == null)
      {
        throw DiagnosticUtil.ExceptionUtil.ThrowHelperError(new ArgumentException(Microsoft.IdentityModel.SR.GetString("ID1002", new object[] { certificate.Thumbprint })));
      }
      return rsa;
    }

 

"System.Security.Cryptography.CryptographicException: The system cannot find the file specified.\r\n\r\n   at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)\r\n   at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)\r\n   at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()\r\n   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)\r\n   at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()\r\n   at Microsoft.IdentityModel.X509Util.EnsureAndGetPrivateRSAKey(X509Certificate2 certificate)"

 

How do I get the cert private key to resolve correctly under my ASP.NET impersonated account?

 

Please advise.

 

thanks

 

 

 

 

 

 

 

Answer 1

How are you pulling the certificate out the store? My guess is that its only pulling the public key from the root.

---

Developer Security MVP | www.steveonsecurity.com

Answer 2

I am using WIF to load the certificate via <serviceCertificate> element in relying party web.config.

Answer 3

Can you share the <serviceCertificate> contents?

---

Developer Security MVP | www.steveonsecurity.com

Answer 4

<serviceCertificate>
       <certificateReference findValue="DC=Acme, DC=com, OU=Development, CN=Acme Internal Token Encryption Cert (FOR TEST ONLY)" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
</serviceCertificate>

Answer 5

Does the private key support export?

Easiest way to find out: CertMgr.msc > Certificate > Right-click > Export > Next > Yes, Export the private key. If you can't then it doesn't support being exported.

If that is the case you could generate another key pair with makecert.exe -pe option: http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx

---

Developer Security MVP | www.steveonsecurity.com

Answer 6

Steve,

  I removed the certs and reimported them selecting the option to make them exportable.  This resolved the problem we were having.  I am not sure if the fix was making it exportable or just reimporting the certificates into the local machine.  Thank you for all your help.