none
Error using X509Certificate where "Strong private key protection" enable. RRS feed

  • Question

  • I have a big problem and i need help. Do not know how to resolve it.

    I use the routine below to user select a digital certificate and sign a host file.
    This certificate can be installed on the machine or be a smart card or something.

    <code>
    X509Store store = new X509Store (StoreName.Root, StoreLocation.CurrentUser);
    store.Open (OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
    X509Certificate2Collection certColl = X509Certificate2UI.SelectFromCollection (store.Certificates, "Test", "Choose a certificate", X509SelectionFlag.SingleSelection);
    X509Certificate2 cert = certColl [0];

    ....
    byte [] msgBytes = Encoding.Unicode.GetBytes ( "bla bla ...");
    SignedCms signCms = new SignedCms (new ContentInfo (msgBytes), false);
    CmsSigner Signer = new CmsSigner (cert);
    / / This throws an exception
    signCms.ComputeSignature (sign);
    </ code>

    The method SignedCms.ComputeSignature () returns the exception "keyset does not exist" if that selected certificate was had been installed with the "strong private key protection" checked. If the option is not checked the code works normally.
    This problem also occurs if the certificate was selected in a smartcard.

    In theory, the "strong private key protection" should apply for the certificate password each time it is used, but apparently the. Net was lost with this option.

    On MSDN there is the following reference to this issue in a post March 2008.
    "About the" Strong private key protection "issue: When you import your certificate into the certificate store, you are presented with the option to" Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option. "Unfortuantely, enabling this option causes the. NET Framework to fail silently when accessing the private key of your certificate. For further information, please read the article in Kevin W. Hammond blog."

    The workaround is re-install the certificate and not checking the option. (http://blogs.msdn.com/kevinha/archive/2005/02/15/373254.aspx)

    I'm using framework 2.0

    Anybody have any suggestion or anything, to solve this problem?

    Tanks


    Erunamo
    • Edited by Don Tan Friday, June 26, 2009 6:08 PM Fixing Thread Title bug
    Thursday, June 25, 2009 12:11 AM