WCF Client Application - problems accessing private key RRS feed

  • Question

  • I have an MSI which runs an executable module to drop three keys onto the client machine, in Local Machine. One is RootCA, one is client key with private keys, and the other is the server public key.

    I know all of the keys work - and they are set to persist, so as to not mysteriously disappear. The issue seems to be a quirky Windows one. If I simply run the client app after install, I get SOAP Security Negotiation failed, with a message about not being able to access the private keys.

    However, if I right click the client key, and click Manage Private Keys - then cancel straight back out, making no changes whatsoever, the client app will now run. Very strange. Can anyone explain what is happening here? And if there is a programmatic way to fix the issue?



    Cheers, John

    Monday, August 31, 2015 2:09 PM

All replies

  • Hi j_dublevay,

    You need to specify -sky exchange when you create the certificate.

    makecert -sk SignedByCA -iv TempCA.pvk -n "CN=localhost" -ic 
        TempCA.cer SignedByCA.cer -sr LocalMachine -ss My -sky exchange -pe

    For more information, you can  refer those links:

    1.How to: Make X.509 Certificates Accessible to WCF

    2.Securing WCF Services with Certificates

    Best Regards,


    • Edited by Jimyken Wednesday, September 2, 2015 1:08 AM
    Wednesday, September 2, 2015 1:05 AM
  • Thank you, but I don't believe that is the issue. I actually generated the keys in a third party tool, called Cryptosys PKI. I have the keys stored as a PFX format - that is, with the private key encrypted alongside the rest of the certificate.

    I am using the following code to programmatically add the key to the store.

                Dim persStore As New X509Store(StoreName.My, StoreLocation.LocalMachine)
                Dim persCert As New X509Certificate2(TempFolderPath & "WcfClt.pfx", "password", X509KeyStorageFlags.PersistKeySet)

    I've tried various options within the X509KeyStorageFlags area, including UserKeySet, MachineKeySet and Exportable, to no avail.

    I've actually now passed to installable program to friends to try out now, and I am being told that the error seems more severe on their machines. The key import always appears successfuly. But on Windows 10, they get a SOAP Authentication error as soon as the call is made to the WCF service, and the keys do not seem properly accessible via 'Manage Private Keys'. I have tried the same install within a clean Windows 7 install inside VirtualBox. I receive an Object Not Found error when I try to use the 'Manage Private Keys' option. And I similarly get a SOAP Authentication Error when trying to access the WCF Service.

    It definitely seems to be something to do with accessing the private keys. But I cannot work out what.

    If I change the private key password, it reports a failure on importing the keys.

    Cheers, John

    Wednesday, September 2, 2015 9:03 PM