none
Problem Adding Machinekey / Private Key Remotely RRS feed

  • Question

  • I have a C# application in which I'm adding a pfx certficate (with private key) to a remote server. The certificate is added to the certificate store just fine, but the machine key is not placed on the server and therefore I cannot use it for SSL (IIS). I've gotten the same behavior on Windows Server 2003 and 2008. The machine keys should be created at "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" and "C:\programdata\Microsoft\Crypto\RSA\MachineKeys" respectively.

    My code looks something like this:
    X509KeyStorageFlags flags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;
    X509Certificate2 newPFX = new X509Certificate2(pfxpath, "password", flags);

    X509Store certStore = new X509Store(@"\\" + serverName + "\\MY", StoreLocation.LocalMachine);
    certStore.Open(OpenFlags.ReadWrite);
    certStore.Add(newPFX);


    • Edited by MP03 Wednesday, November 21, 2012 7:31 PM misspelled title
    • Moved by Bob Shen Monday, November 26, 2012 10:04 AM (From:Visual C# General)
    Wednesday, November 21, 2012 6:35 PM

All replies

  • I saw your code, you have put the file in whatever \\ + serverName but where is your code to point your IIS to it?

    chanmm


    chanmm

    Thursday, November 22, 2012 9:02 AM
  • If the server is using IIS7 I execute the code below.  Which works just fine, except when I add the certificate to the remote keystore it does not create an associated machine key on the remote server.  If I manually import the pfx on the remote server by logging in and using the certificates snap-in, I can see the machinekey being created:

    foreach (Site site in siteCollection)
                    {

                        //Binding binding = null;
                        foreach (Binding binding in site.Bindings)
                        {
                           
                            if (binding.Protocol == "https")
                            {
                                string bCertHash = binding.GetAttributeValue("certificateHash").ToString().ToUpper();
                                if (bCertHash != certHash.ToUpper())
                                {
                                    ConfigurationMethod method = binding.Methods["AddSslCertificate"];
                                    if (method == null)
                                    {
                                        throw new Exception("Unable to access the AddSslCertificate configuration method");
                                    }
                                    ConfigurationMethodInstance mi = method.CreateInstance();
                                    mi.Input.SetAttributeValue("certificateHash", certHash);
                                    mi.Input.SetAttributeValue("certificateStoreName", "MY");
                                    mi.Execute();


                                }
                               
                            }

                        }

    • Edited by MP03 Friday, November 23, 2012 1:56 PM too much whitespace
    Friday, November 23, 2012 1:55 PM
  • How would I put the machinekey in "\\ + serverName " as you are describing?  Why doesn't certStore.Add(newPFX); add the associated private key as well.

    Shouldnt the flags X509KeyStorageFlags flags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;

    make the machinekey?

     
    Friday, November 23, 2012 2:04 PM
  • Hi chanmm,

    Would you like to kep helping this man?

    Have a nice day.

    Best regards,


    Ghost,
    Call me ghost for short, Thanks
    To get the better answer, it should be a better question.

    Tuesday, December 4, 2012 10:07 AM