locked
Add X509Certificate2 to X509Store with AllowPlaintextExport flag? RRS feed

  • Question

  • Hi,

    (I asked a similar question over at stackoverflow but received no response and am hoping for a better luck here)

    When I import a certificate into a store using CertUtil, e.g., certutil -f -v -user -privatekey -importPFX my mycert.p12, and then read it in in C#, I see that its export policy is AllowExport | AllowPlaintextExport.

    However, when importing the same certificate to the same store using the X509Store.Add()method and then read it back in, the export policy is only AllowExport; I use the X509KeyStorageFlags.Exportable flag when importing the certificate to the store, e.g.,:

    ... X509Certificate2Collection x509cert2Collection = new X509Certificate2Collection(); x509cert2Collection.Import(myp12bytes, passwd, X509KeyStorageFlags.Exportable); foreach (X509Certificate2 x509cert2 in x509cert2Collection) { X509Store myStore = new X509Store(StoreName.My, StoreLocation.CurrentUser); myStore.Add(x509cert2); myStore.Close(); } ...

    My question is: is there a way to add a X509Certificate2 to the X509Store in C# so that the certificate's export policy includes both AllowExport and AllowPlaintextExport? X509KeyStorageFlags does not seem to define the AllowPlaintextExport flag; only the CngExportPolicies does.

    The reason for this question is that my application requires the certificate keys in the windows store to be used with BouncyCastle APIs, and the only way I found so far requires that the private key to be exported as Pkcs8PrivateBlob, which, in turn, requires the key to have the AllowPlaintextExport flag set.

    Thanks,

    --Hyong


    Friday, October 6, 2017 6:43 PM

Answers

  • Hi,

    One of the requirements is that the certificate be created externally and imported into the Windows store.  To get around the problem asked in this post, I'm now invoking 'CertUtil -importpfx' in the C# application instead of using the C# API calls in the original question.  

    Thanks,

    --Hyong

    • Marked as answer by hyongsop Friday, October 13, 2017 1:23 PM
    Thursday, October 12, 2017 1:41 PM

All replies


  • Hi hyongsop,

    >>is there a way to add a X509Certificate2 to the X509Store in C# so that the certificate's export policy includes both AllowExport and AllowPlaintextExport? X509KeyStorageFlags does not seem to define the AllowPlaintextExport flag; only the CngExportPolicies does.

    As far as I know, you can try to crate your Certificate with C#. Then, you can get these Certificates in X509Certificate2Collection.

                CreateCertWithPrivateKey("certest001", @"C:\Program Files (x86)\Windows Kits\10\bin\10.0.15063.0\x64\makecert.exe");//win 10
                X509Certificate2 c1 = GetCertificateFromStore("certest001");
    
    
            public static bool CreateCertWithPrivateKey(string subjectName, string makecertPath)
            {
                subjectName = "CN=" + subjectName;
                string param = " -pe -ss my -n \"" + subjectName + "\" ";
                try
                {
                    Process p = Process.Start(makecertPath, param);
                    p.StartInfo.UseShellExecute = true;
                    p.StartInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
                    p.WaitForExit();
                    p.Close();
                }
                catch (Exception e)
                {
                    return false;
                }
                return true;
            }
    
            public static X509Certificate2 GetCertificateFromStore(string subjectName)
            {
                subjectName = "CN=" + subjectName;
                X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
                store.Open(OpenFlags.ReadWrite);
                X509Certificate2Collection storecollection = (X509Certificate2Collection)store.Certificates;
                foreach (X509Certificate2 x509 in storecollection)
                {
                    if (x509.Subject == subjectName)
                    {
                        return x509;
                    }
                }
                store.Close();
                store = null;
                storecollection = null;
                return null;
            }


    How to: Create Your Own Test Certificate:
    https://msdn.microsoft.com/en-us/library/ff699202.aspx

    Best Regards,

    Yohann Lu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Monday, October 9, 2017 10:02 AM
  • Hi Yohann

    Thanks for the reply.  I have a bit of trouble understanding it, however.  Are you suggesting that creating a certificate in the way you suggest would automatically set the AllowExport and AllowPlaintextExport flags?  I'll read the link you referred but thought I'd ask you the question quickly.

    Thanks,

    --Hyong

    Monday, October 9, 2017 3:26 PM

  • Hi hyongsop,

    >>Are you suggesting that creating a certificate in the way you suggest would automatically set the AllowExport and AllowPlaintextExport flags?  I'll read the link you referred but thought I'd ask you the question quickly.

    Did you test the solution above in your own way?

    If we have any misunderstanding, you can upload your demo to OneDrive(Including your test material/Certificate). We can download it and debugging. This will help us quickly analyze your problem.
    Share OneDrive files and folders:
    https://support.office.com/en-us/article/Share-OneDrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a82024800c07

    Best Regards,

    Yohann Lu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, October 12, 2017 1:59 AM
  • Hi,

    One of the requirements is that the certificate be created externally and imported into the Windows store.  To get around the problem asked in this post, I'm now invoking 'CertUtil -importpfx' in the C# application instead of using the C# API calls in the original question.  

    Thanks,

    --Hyong

    • Marked as answer by hyongsop Friday, October 13, 2017 1:23 PM
    Thursday, October 12, 2017 1:41 PM

  • Hi hyongsop,

    I'm glad that you have found a solution to resolve your problem and I suggest you can share the solution here and mark your reply as an answer. Anyone who encountered similar issues will get help from it.


    Best Regards,

    Yohann Lu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, October 13, 2017 5:28 AM