none
Certificate Export Error: Key not valid for use in specified state.

    Question

  • HI,

    I am Using the below Code  to Export certificates 

     foreach (X509Certificate2 certificate in store.Certificates)
                                {
                                    try
                                    {
                                        thumbPrint = certificate.Thumbprint;
                                       // Console.WriteLine ("File Name: " + certPath + @"\" + iStoreLocation + "_" + iStoreName + "_" + thumbPrint + "_" + i.ToString());
                                        if (certificate.HasPrivateKey)
                                        {
                                            certBytes = certificate.Export(X509ContentType.Pfx, "Password");
                                            certFileName = certPath + @"\" + iStoreLocation + "_" + iStoreName + "_" + thumbPrint + "_" + i.ToString() + ".PFX";
                                            File.WriteAllBytes(certFileName, certBytes);
                                        }
                                        else
                                        {
                                            certBytes = certificate.Export(X509ContentType.Cert);
                                            certFileName = certPath + @"\" + iStoreLocation + "_" + iStoreName + "_" + thumbPrint + "_" + i.ToString() + ".CER";
                                            File.WriteAllBytes(certFileName, certBytes);
                                        }
    
                                    }
                                    catch (Exception ex)
                                    {
                                        Console.WriteLine ("File Name: " + certPath + @"\" + iStoreLocation + "_" + iStoreName + "_" + thumbPrint + "_" + i.ToString());
                                        Console.WriteLine("Exception in Cert: " + certFileName);
                                        Console.WriteLine(ex);
                                    }
                                    finally
                                    {
                                        i++;
                                    }
                                }

    But fro some of the Certificates I am getting the below Exception

    Exception Message:  Key not valid for use in specified state.
    Inner Exception: 
    StackTrace:     at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
       at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)

    I tried searching in net but couldn't figure out Can you help me with this How i can Export them amd what is the root cause for them?

    Thanks,

    Sujith.


    Sujith

    Tuesday, April 4, 2017 7:03 PM

Answers

  • Check whether the key is exportable in the certificate store. If it's not marked as exportable, it cannot be exported.
    Wednesday, April 5, 2017 1:46 AM
    Answerer
  • Sigh, I told you that both Pfx and Pkcs12 are the same value, won't you listen?

    To prove it, I'll recreate simplified version of argument check here:

                X509ContentType contentType = X509ContentType.Pfx;
    
                switch (contentType)
                {
                    case X509ContentType.Cert:
                        Console.WriteLine("Content type is Cert.");
                        break;
                    case X509ContentType.SerializedCert:
                        Console.WriteLine("Content type is SerializedCert.");
                        break;
                    case X509ContentType.Pkcs12:
                        Console.WriteLine("Content type is Pkcs12.");
                        break;
                    default:
                        throw new CryptographicException("Cryptography_X509_InvalidContentType");
                }
    
                Console.ReadKey();

    As you can try and run it, the output of the above snippet is:

    Content type is Pkcs12.

    Friday, April 7, 2017 2:16 AM
    Answerer

All replies

  • Check whether the key is exportable in the certificate store. If it's not marked as exportable, it cannot be exported.
    Wednesday, April 5, 2017 1:46 AM
    Answerer
  • Hi sujith reddy komma,

    Thank you for posting here.

    For your question, the type of your X509ContentType is Pfx.

    However, the contentType parameter accepts only the following values of the X509ContentType enumeration: Cert, SerializedCert, and Pkcs12. Passing any other value causes a CryptographicException to be thrown. The pfx is not the correct type to export.

    I hope this would be helpful.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Thursday, April 6, 2017 7:54 AM
    Moderator
  • Thursday, April 6, 2017 9:28 AM
    Answerer
  • Hi sujith reddy komma,

    For your question, could you debug your code step by step and give us more information?Where do you get the error in your code? 

    In MSDN article, the parameter accepts only Cert, SerializedCert, and Pkcs12. And in the article, the example loads an pfx certificate file into an X509Certificate object, exports the certificate as a byte array with the type Cert, and then imports the byte array into another X509Certificate object for your reference.

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Friday, April 7, 2017 1:54 AM
    Moderator
  • Sigh, I told you that both Pfx and Pkcs12 are the same value, won't you listen?

    To prove it, I'll recreate simplified version of argument check here:

                X509ContentType contentType = X509ContentType.Pfx;
    
                switch (contentType)
                {
                    case X509ContentType.Cert:
                        Console.WriteLine("Content type is Cert.");
                        break;
                    case X509ContentType.SerializedCert:
                        Console.WriteLine("Content type is SerializedCert.");
                        break;
                    case X509ContentType.Pkcs12:
                        Console.WriteLine("Content type is Pkcs12.");
                        break;
                    default:
                        throw new CryptographicException("Cryptography_X509_InvalidContentType");
                }
    
                Console.ReadKey();

    As you can try and run it, the output of the above snippet is:

    Content type is Pkcs12.

    Friday, April 7, 2017 2:16 AM
    Answerer