none
cant use .pfx file for X.509 certificates

    Question

  • HI All,



    I am new to Geneva framework and to WCF security as well. I have successfully run few of the sample then I decided to write my own.



    I have a very simple STS, an active RP WCF service and a client. I generated two certificates using makecert and put them in LocalMachine Presonal store and every thing worked fine.

    Then I exported those certificates in .pfx files along with private keys. I changed my program to use the keys from the files instead of Crypt store. Now, when client sends a request for security token to STS "GetScope" and "GetOutputClaimsIdentity" works fine but client receives a WCF fault.

    I turned on the diagnostic logging for STS and found that it has an error saying "Replying to an operation threw a exceptoin" and the Message was "The private key is not present in the X.509 certificate".

    Can anyone help me in this regard.



    Cheers,

    Syed

    Thursday, March 26, 2009 8:50 PM

Answers

  • I resolved my issue by specifying the "X509KeyStorageFlags.PersistKeySet" flag when initiating the X509Certificate2 object as follows:-

    X509Certificate2 certificate = new X509Certificate2("Pfxfile.pfx", "password", X509KeyStorageFlags.PersistKeySet);

    I think because of security reason if we don't specify the flag the private key is deleted or something like that.
    I have no idea why inheriting from X509SigningCredentials resolves the issue.

    Cheers,
    Syed
    Tuesday, July 21, 2009 9:39 PM

All replies

  • Did you use the X509Certificate2 constructor that uses filename and password as its argument?

    Saturday, March 28, 2009 6:19 PM
    Moderator
  • Yes I did that. Infact I observed a really wierd thing with it. I had been debugging the application and during debugging if I accessed PrivateKey property everything worked fine which brought me to conclusion that I need to access the PrivateKey property before setting the SigningCredintials property for Geneva framework. So I started accessing the PrivateKey property before setting the SigningCredentials and everything started working without debugging the application. (Tough it still fails sometimes but I think that could be due to my development enviornment). Anyways could you please explain to me what is going wrong ? Why I need to access PrivateKey property ?

    Cheers,
    Syed
    Saturday, March 28, 2009 6:34 PM
  • I am also seeing this issue. When using X509SigningCredentials with a X509Certificate2, the private key gets lost. I found that if I kept the instance of the X509Certificate2 certificate instantiated, everything worked as expected. I fixed this issue by inheriting from X509SigningCredentials and keeping a local instance of the X509Certificate2 in a private field.

    public class X509SigningCredentials2 : Microsoft.IdentityModel.SecurityTokenService.X509SigningCredentials
        {
            private readonly X509Certificate2 _certificate;

            public X509SigningCredentials2(X509Certificate2 certificate) : base(certificate)
            {
                _certificate = certificate;
            }

            public X509SigningCredentials2(X509Certificate2 certificate, SecurityKeyIdentifier ski) : base(certificate, ski)
            {
                _certificate = certificate;
            }
        }

    Is there a reason for this behavior?
    Tuesday, July 21, 2009 9:11 PM
  • I resolved my issue by specifying the "X509KeyStorageFlags.PersistKeySet" flag when initiating the X509Certificate2 object as follows:-

    X509Certificate2 certificate = new X509Certificate2("Pfxfile.pfx", "password", X509KeyStorageFlags.PersistKeySet);

    I think because of security reason if we don't specify the flag the private key is deleted or something like that.
    I have no idea why inheriting from X509SigningCredentials resolves the issue.

    Cheers,
    Syed
    Tuesday, July 21, 2009 9:39 PM
  • Just tested your resolution against my code & it works. Thanks for the heads up.
    Tuesday, July 21, 2009 9:48 PM