Problem Adding Machinekey / Private Key Remotely

Question

I have a C# application in which I'm adding a pfx certficate (with private key) to a remote server. The certificate is added to the certificate store just fine, but the machine key is not placed on the server and therefore I cannot use it for SSL (IIS). I've gotten the same behavior on Windows Server 2003 and 2008. The machine keys should be created at "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" and "C:\programdata\Microsoft\Crypto\RSA\MachineKeys" respectively.

My code looks something like this:
X509KeyStorageFlags flags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;
X509Certificate2 newPFX = new X509Certificate2(pfxpath, "password", flags);

X509Store certStore = new X509Store(@"\\" + serverName + "\\MY", StoreLocation.LocalMachine);
certStore.Open(OpenFlags.ReadWrite);
certStore.Add(newPFX);

Answer 1

I saw your code, you have put the file in whatever \\ + serverName but where is your code to point your IIS to it?

chanmm

---

chanmm

Answer 2

If the server is using IIS7 I execute the code below.  Which works just fine, except when I add the certificate to the remote keystore it does not create an associated machine key on the remote server.  If I manually import the pfx on the remote server by logging in and using the certificates snap-in, I can see the machinekey being created:

foreach (Site site in siteCollection)
                {

                    //Binding binding = null;
                    foreach (Binding binding in site.Bindings)
                    {
                       
                        if (binding.Protocol == "https")
                        {
                            string bCertHash = binding.GetAttributeValue("certificateHash").ToString().ToUpper();
                            if (bCertHash != certHash.ToUpper())
                            {
                                ConfigurationMethod method = binding.Methods["AddSslCertificate"];
                                if (method == null)
                                {
                                    throw new Exception("Unable to access the AddSslCertificate configuration method");
                                }
                                ConfigurationMethodInstance mi = method.CreateInstance();
                                mi.Input.SetAttributeValue("certificateHash", certHash);
                                mi.Input.SetAttributeValue("certificateStoreName", "MY");
                                mi.Execute();

                            }
                           
                        }

                    }

Answer 3

How would I put the machinekey in "\\ + serverName " as you are describing?  Why doesn't certStore.Add(newPFX); add the associated private key as well.

Shouldnt the flags X509KeyStorageFlags flags = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;

make the machinekey?

 

Answer 4

Hi chanmm,

Would you like to kep helping this man?

Have a nice day.

Best regards,

---

Ghost,
Call me ghost for short, Thanks
To get the better answer, it should be a better question.