locked
Import certificate chain from PFX file with .net RRS feed

  • Question

  • I want to import a PFX file to the certificate store.

    I have this code, which will import the certificate I want, but not the certificate's CA:

    X509Certificate2 certFile = new X509Certificate2("file.pfx", "certpassword");
    
    X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadWrite);
    store.Add(certFile);
    store.Close();
    When I use the Certificates MMC add-in, the same file will also add the CA certificate to the store.

    The PFX file was exported with the "Include all certificates in the certification path if possible" option.

    I have tried initializing an X509Certificate2Collection with the X509Certificate2 object above, but that also just shows one certificate present.

    How do I import the entire chain from the PFX file?

    • Edited by rasmusw Monday, June 28, 2010 7:38 AM code formatting
    Monday, June 28, 2010 7:37 AM

Answers

  • I solved this issue using X509Certificate2Collection.Import Method . 

     

    var col = new X509Certificate2Collection();
    col.Import(@"cert_with_private_key_and_CA_cert.pfx", "pfx_password",
    	 X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
    

    Now you can enumerate collection col and add all certificates with private key(s) to store. 

     

    • Proposed as answer by Serghei Gorodetki Thursday, September 29, 2011 10:16 AM
    • Marked as answer by rasmusw Thursday, October 25, 2018 10:47 AM
    Thursday, September 29, 2011 10:07 AM

All replies

  • Hi,

    There is no direct way to achieve what you want using 100% .NET .
    You have to use P/Invoke in order to call the native function PFXImportCertStore and then use its return value (a HCERTSTORE) as a parameter to the constructor of X509Store (the one taking an IntPtr). The property Certificates of this variable will contain all the certificates inside the PFX, including the CA ones.

    I hope this will help.
    Cheers,
    --
    Mounir IDRASSI
    IDRIX
    http://www.idrix.fr

    Tuesday, June 29, 2010 10:56 PM
  • Hello

    In .NET, there's not an equivalent of certificate import wizard. However, there is a COM class that can do it: See http://msdn.microsoft.com/en-us/library/aa378051(VS.85).aspx. Use AllowNoOutstandingRequest flag for restrictions and specify PFX password with the strPassword parameter.

    This interface is supported on Vista  and up. If you need an XP, there is an alternative as well but is a little harder to use, especially from .Net. See this http://msdn.microsoft.com/en-us/library/aa380598(VS.85).aspx. This API is actually the wizard that you saw, but it has a UI-less mode.


    Regards,
    Jialiang Ge
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Wednesday, June 30, 2010 3:25 AM
  • As others have said, there's no way to do this with .NET Framework classes. However, using PKI components of SecureBlackbox .NET you can import the PFX file to a storage with a couple of lines of code.
    Wednesday, June 30, 2010 6:12 AM
  • I solved this issue using X509Certificate2Collection.Import Method . 

     

    var col = new X509Certificate2Collection();
    col.Import(@"cert_with_private_key_and_CA_cert.pfx", "pfx_password",
    	 X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
    

    Now you can enumerate collection col and add all certificates with private key(s) to store. 

     

    • Proposed as answer by Serghei Gorodetki Thursday, September 29, 2011 10:16 AM
    • Marked as answer by rasmusw Thursday, October 25, 2018 10:47 AM
    Thursday, September 29, 2011 10:07 AM
  • Thanks Gorodekti!!!

    Full Code is 

    var col = new X509Certificate2Collection();
    col.Import(@"c:\icgtools\icgtools-ref\ICGToolsKeyStore.pfx", "ICGTOOLS2020", X509KeyStorageFlags.UserKeySet |X509KeyStorageFlags.PersistKeySet);

    foreach (X509Certificate2 certFile in col)
    {
          X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
          store.Open(OpenFlags.ReadWrite);
          store.Add(certFile);
          store.Close();
    }


    Thursday, October 25, 2018 9:13 AM