locked
Errors signing with pfx file. An attempt was made to reference a token that does not exist

    Question

  • VS2010: After exporting a ceritifacte without "Including all certificates in the ceritifcation path if possible" I have selected resulting the pfx file to Sign the assembly in a project's properties. Then VS prompts for the private key password and updates the project properties.

    Building the project fails with "Cannot import the following key file ... The key file may be password protected. To correct this, try do import the certificate again or manually install the certificate to the Strong Name CSP..."

    Trying to manully (sn -i) import the certificate fails with "Failed to install key pair -- Object already exists"

    Trying to reselect the pfx file in VS produced the error "An attempt was made to reference a token that does not exist"

    Please help

    Tuesday, May 25, 2010 4:58 PM

Answers

  • AFAIK Visual Studio 2010 still does not support signing an assembly using a certificate (not even exported to a pfx file). When I talked to the Microsoft support some years ago in a similar matter, they replied: "Unfortunately we don't have a feature to sign assemblies with a certificate", which means that the pfx file is simply used by VS as a container to better protect the keys and nothing more. The issue you are experiencing may be due to inner cryptographic incompatibilities between your certificate and what VS expects: "We choosed a .pfx as a encryption storage just for convinience. So not all certificate files are compatible for us."

    You could post your issue to connect.microsoft.com to get an update on the current state.

    Marcel

    Thursday, June 10, 2010 8:53 AM

All replies

  • Hello,

    There are some similar report in the connect side,

    https://connect.microsoft.com/VisualStudio/feedback/details/524792/importing-key-file-was-canceled?wa=wsignin1.0

    Can I suggest to try the two workarounds mentioned in that connect link,

    1.------------------

    Since no-one else has posted this, here goes. If you use msbuild you'll get this error message

    C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets(1970,9): error MSB3325: Cannot import the following key file: mykey.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name:
    VS_KEY_C0D0ACB5FAE2DFE3 [C:\Source\MyProject.csproj]

    This is somewhat cryptic and doesn't actually tell you how to fix the problem. So here for future reference is the answer (obviously change the file name and key to match your error message):

    sn -i mykey.pfx VS_KEY_C0D0ACB5FAE2DFE3

    --------------------

     

    2.-----------------

    I had the same problem.

    Running the vs 2010 as administrator solved it.

    -------------------

    Hope this helps!

     

    Best regards,

    Ji Zhou


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Thursday, May 27, 2010 7:24 AM
    Moderator
  • Running VS2010 as Administrator did not make a difference.

    Running the manual install with 'sn -i' produces "Failed to install key pair -- Object already exists."

    Thursday, May 27, 2010 10:48 AM
  • I'va exactly the same problem.

     

    I can't import the key ("Object already exists", says)

    And trying to reselect the pfx file in VS produced the error "An attempt was made to reference a token that does not exist"

     

    Any ideas?

     

    Tuesday, June 08, 2010 6:04 AM
  • One more question...

     

    What is strong name CSP anyway? How can I check the installed certificates? Are the ones that show Internet Explorer (under my personal certificates)?

    Tuesday, June 08, 2010 6:52 AM
  • And also exactly the same problem here. Suggested workarounds result in the same errors.

    Tuesday, June 08, 2010 9:56 AM
  • This worked for me:

    1) Without closing VS open command prompt as Administrator

    2) Execute "sn -d VS_xxxxxxx" with container name from error message

    3) Execute "sn -i xxxxx.pfx VS_xxxxxxx", enter password when prompted

    Go back to VS, build project.

    • Proposed as answer by Nickbr Thursday, July 15, 2010 4:39 AM
    Tuesday, June 08, 2010 11:33 AM
  • Hi,

    Not all certificates are compatible for use with Visual Studio. Maybe you are experiencing the same problem I had some years ago. Take a look here:

    https://connect.microsoft.com/VisualStudio/feedback/details/321492/signing-an-assembly-using-a-pfx-file-with-keyspec-set-to-1-at-keyexchange-results-in-error-message-object-already-exists?wa=wsignin1.0

    Marcel

    Tuesday, June 08, 2010 12:35 PM
  • Followed workaround note in Marcel's post (re-import the certificate with certuil -importPFX AT_SIGNATURE option)

    Successfully deleted the container and re-imported it using sn -d VS_xxxx and sn -i xx.pfx VS_xxxx.

    VS2010 (in admin mode) accpets the pfx file without a problem but build still fails with

    Error 1 Cannot import the following key file: kkkkkkkkkk.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_xxxxxxxxxxxxxx PPPPPPPPPPP

    If only VS2010 provided a more detailed error message...

    Tuesday, June 08, 2010 3:10 PM
  • Followed workaround note in Rand Druid's post:

     

    1) Without closing VS open command prompt as Administrator

    2) Execute "sn -d VS_xxxxxxx" with container name from error message

    3) Execute "sn -i xxxxx.pfx VS_xxxxxxx", enter password when prompted

     

    But VS2010 still fails to build...

     

    Error 1: Cannot import the following key file: My Company.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_DFBEFBBC9463D8EC

    Error 2: Importing key file "My Company.pfx" was canceled.

     

     

    Wednesday, June 09, 2010 6:23 AM
  • AFAIK Visual Studio 2010 still does not support signing an assembly using a certificate (not even exported to a pfx file). When I talked to the Microsoft support some years ago in a similar matter, they replied: "Unfortunately we don't have a feature to sign assemblies with a certificate", which means that the pfx file is simply used by VS as a container to better protect the keys and nothing more. The issue you are experiencing may be due to inner cryptographic incompatibilities between your certificate and what VS expects: "We choosed a .pfx as a encryption storage just for convinience. So not all certificate files are compatible for us."

    You could post your issue to connect.microsoft.com to get an update on the current state.

    Marcel

    Thursday, June 10, 2010 8:53 AM
  • Oh :-(

     

    As a workaround, I could sign the assembly after being compiled.

     

    I can sign the EXE file using sn.exe, and it works.

     

    The problem now is that I want to distrubute it using a MSI file. I can sign the MSI file (and I do), but the EXE file (which is inside) is not signed.

     

    The question is: How can I create a setup project (that create a MSI file) that signs the assemby before building de MSI file? Or... Can I sign a file inside a MSI file?

     

    Thursday, June 10, 2010 11:38 PM
  • Hi Polonio,

    Strong naming an assembly and digitally signing an executable (authenticode signature) are two different things. Eric Lippert has a good summary on this topic, if you're interested in details.

    Visual Studio provides an in-build mechanism to strong-name your assembly, but there is no direct way to apply an authenticode signature. This is why I would suggest to use SignTool.exe in a post-build step.

    How to: Launch Signtool.exe as a Post-Build Event:
    http://msdn.microsoft.com/en-us/library/ms180786(VS.80).aspx

     

    Marcel

    Friday, June 11, 2010 8:32 AM
  • Hello Marcel, 

     

    Thanks for the puntualitation.

     

    But the problem remains similar...

    I can digitally sign the EXE file using SignTool, and it works, or I can sign it in a Post Build event (and it works from VS interface)...

     The problem now is that I want to distrubute it using a MSI file. I can sign the MSI file (and I do), but the EXE file (which is inside) is not digitally signed.

    It seems that post build events are not executed if I launch MSI project using command line...

    The question is: How can I create a setup project (that create a MSI file) that signs the assemby before building de MSI file? Or... Can I sign a file inside a MSI file?

     

    Sunday, June 13, 2010 12:13 AM
  • Hi Polonio,

    The problem now is that I want to distrubute it using a MSI file. I can sign the MSI file (and I do), but the EXE file (which is inside) is not digitally signed.

    When Visual Studio builds the MSI using the primary output of an project it uses the resulting artifacts from the project's obj subdirectory. That's why you have to sign $(ProjectDir)obj\application.exe rather than $(ProjectDir)bin\release\application.exe.

    Marcel

    P.S. There are some very good comercial solutions out there that can do this and much more for you, so it's worth taking a look at tools like Advanced Installer if you are creating MSI deployment files on a regular basis.

    Sunday, June 13, 2010 7:13 AM
  • Thank you, thank you ,thank you, Marcel...

     

    I didn't know about the obj subdirectory.

    I digitally sign the application using a post build event:

    "signtool.exe" sign /n "My Company Inc"  "$(ProjectDir)obj\Release\admin.exe"

    And everything worked fine.

     

     

     

    Tuesday, June 15, 2010 6:55 AM
  • VSCommands 2010 (plugin for Visual Studio) can fix this for you automatically - just right-click on error and click Apply Fix from menu. You can get it from visual studio gallery http://visualstudiogallery.msdn.microsoft.com/en-us/d491911d-97f3-4cf6-87b0-6a2882120acf
    Sunday, August 08, 2010 9:29 AM
  • I had the same problem, and the only thing that worked was following the steps in this blog post.  I am running Visual Studio 2010 on Windows 2008 Server.

    http://polydevmono.blogspot.com/2006/10/error-8013141c-in-visual-studio-or.html
    • Proposed as answer by Ananda1 Monday, August 23, 2010 11:06 PM
    Tuesday, August 10, 2010 11:08 PM
  • I tried every, but nothing worked except:

    I used the opensll to create my cert and I couldn't fix this error until I did this from Beached on this thread:http://stackoverflow.com/questions/2815366/cannot-import-the-following-keyfile-blah-pfx-the-keyfile-may-be-password-prote

    had the same issue and deleting the store and readding didn't work. I had to do the following

    Get a copy of openssl, it is available for windows at http://www.slproweb.com/products/Win32OpenSSL.html or use a Linux box as they all pretty much have it.

    Run the following to export to a key file

    openssl pkcs12 -in certfile.pfx -out backupcertfile.key

    openssl pkcs12 -export -out certfiletosignwith.pfx -keysig -in backupcertfile.key

    Then in the project properties you can use the PFX file

    You could probably also try to right click on the pfx file and add it to your store.


    dan

    • Proposed as answer by Asereware Saturday, August 18, 2012 8:58 PM
    Saturday, February 25, 2012 12:11 AM
  • Thanks very much Dan, It works perfect for me.
    I don't want execute VS as administrator if is not necessary.


    Asereware


    • Edited by Asereware Saturday, August 18, 2012 9:02 PM
    Saturday, August 18, 2012 9:00 PM
  • change password worked for me
    Wednesday, October 03, 2012 3:03 PM
  • Quick Solution : go to

    VS properties  >> signing  >> sign in assembly >> choose  a strong name file  >> (drop down) select Browse.. >>  select <ur>.pfx file  >> ok

    vola you are all set to execute your project.

    Wednesday, October 31, 2012 3:55 PM
  • Thanks very much Dan,

    We were beating our heads against the proverbial wall for a few days with this new certificate that just wouldn't play ball with VS 2010. Recreating the PFX like this solved the problem.

    Best Regards,

    Kieran

    Thursday, November 15, 2012 3:52 PM