none
Programmatically installed X509Certificate2's private key dies together with the installer app, why? RRS feed

  • Question

  • I'm doing a simple X509Certificate2 install, see code below. But in MMC its Private Key becomes unaccessible immediately when I close the installer app. My problem is actually more complex, but tracked it down to this strange behavior. It doesn't happen if I install the same cert in MMC manually. I would like to program "the same result as if I did it manually in MMC, Private Key staying nicely there". How could I achieve it, please? Full source together with the demo cert being installed uploaded here

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    using System.Security.Cryptography.X509Certificates;
    using System.IO;
    using System.Reflection;
    
    namespace DemoCertInstaller
    {
        class Program
        {
            static void Main(string[] args)
            {
                Console.WriteLine("going to install the cert, press any key...");
                Console.ReadKey();
    
                var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
                store.Open(OpenFlags.ReadWrite);
                try
                {
                    var fileName = Path.Combine(Path.GetDirectoryName(Assembly.GetEntryAssembly().Location), "Little_Demo_Cert_Cert.pfx");
                    
                    var cert = new X509Certificate2(fileName, string.Empty, X509KeyStorageFlags.MachineKeySet);
                    store.Add(cert);
                }
                finally
                {
                    store.Close();
                }
    
                Console.WriteLine("now the cert is there, and one can view its private key");
                Console.WriteLine("(in Win-7 MMC --> All Tasks --> Manage Private Keys...)");
                Console.WriteLine("BUT EXIT THIS CONSOLE APP NOW, and the Private Key is gone");
                Console.WriteLine("saying 'The requested security information is either unavailable or can't be displayed'");
                Console.WriteLine("press any key to exit and see that effect...");
                Console.ReadKey();
            }
        }
    }
    

    Friday, March 9, 2012 2:57 PM

Answers

  • OK, it was rather obvious, thanks goes here

    // ORIGINAL: var cert = new X509Certificate2(fileName, string.Empty, X509KeyStorageFlags.MachineKeySet);
    
    // FIXED:
    var cert = new X509Certificate2(fileName, string.Empty, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);

    • Marked as answer by Andres24 Thursday, March 15, 2012 7:36 AM
    Thursday, March 15, 2012 7:36 AM

All replies

  • Make sure you're running elevated, otherwise (if you have no maniferst at all) you may be redirected to a VirtualStore location.

    Phil Wilson

    Friday, March 9, 2012 9:08 PM
  • I tried elevated ("Run as Administrator", right?), no difference. And I can actually observe the creation of the related file, named like:

    C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\119e980d6013da8ba151a54f8fbb1280_783ada93-676d-4a67-bda0-10cfff8a2751

    ... and then it's disappearing again, right at the moment I exit my program. (by the way, manually copying the file back there doesn't help either, it's something wider). Can it still be something with VirtualStore? This whole thing has to be possible, as we can see in MMC behavior, but I'm missing some kind of persistance... Any ideas, please?

    Wednesday, March 14, 2012 3:26 PM
  • OK, it was rather obvious, thanks goes here

    // ORIGINAL: var cert = new X509Certificate2(fileName, string.Empty, X509KeyStorageFlags.MachineKeySet);
    
    // FIXED:
    var cert = new X509Certificate2(fileName, string.Empty, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);

    • Marked as answer by Andres24 Thursday, March 15, 2012 7:36 AM
    Thursday, March 15, 2012 7:36 AM