none
Using X509Certificate2 to get PrivateKey causes CryptographicException "Invalid provider type specified" RRS feed

  • Question

  • Hi, everyone,

    I am developing a web application that uses X509Certificate2 to get a private key from a certification file. Code snippet looks like following:

            public static RSACryptoServiceProvider GetSignProviderFromPfx()
            {
                var strFileName = "c:\cer\mycerfile.pfx";
                var strPassword = "000000";            
                X509Certificate2 pc = new X509Certificate2(strFileName, strPassword, X509KeyStorageFlags.MachineKeySet);
                var ThePivateKey = pc.PrivateKey;
    
                return (RSACryptoServiceProvider)ThePivateKey;
            }


    But the statement pc.Privatekey  causes a  System.Security.Cryptography.CryptographicException "Invalid provider type specified" . I'm sure the certification file has no problem, it really has a private key. And the property pc.HasPrivateKey is also return true. 

    The test environment is VS2013,  window 7. 

    I also tried following:

    a. I debugged it in VS2013 with iis express, the problem occured.

    b. I debugged it in another computer with same enviroment with mine, the problem occured too.

    c. I published the application to a server with iis running on Windows Web Server 2008 R2,  it worked fine.

    d. I published the application to widows azure website, it also worked fine.

    Therefore, I guess the code snippet has no problem. The key reason raising the exception is that there may be some problem about running environment.  I checked and compared the reading/writing right on the certification file in different environment, all of them are same.

    Anybody can help?

    Thanks.


    Monday, September 7, 2015 7:13 AM

Answers

  • Hello zhaohongbin1,

    You can look into the below blog if that is the problem. Hope this might help you.

    1. "Invalid provider type specified" error when accessing X509Certificate2.PrivateKey on CNG certificates

    http://blogs.msdn.com/b/alejacma/archive/2009/12/22/invalid-provider-type-specified-error-when-accessing-x509certificate2-privatekey.aspx

    2. Invalid provider type specified

    http://www.apollojack.com/2009/06/invalid-provider-type-specified.html

    Thanks,

    Sabah Shariq

    Monday, September 7, 2015 7:37 AM
    Moderator

All replies

  • Hello zhaohongbin1,

    You can look into the below blog if that is the problem. Hope this might help you.

    1. "Invalid provider type specified" error when accessing X509Certificate2.PrivateKey on CNG certificates

    http://blogs.msdn.com/b/alejacma/archive/2009/12/22/invalid-provider-type-specified-error-when-accessing-x509certificate2-privatekey.aspx

    2. Invalid provider type specified

    http://www.apollojack.com/2009/06/invalid-provider-type-specified.html

    Thanks,

    Sabah Shariq

    Monday, September 7, 2015 7:37 AM
    Moderator
  • Your private key is stored in CNG (that's a thing the PFX can specify), but you're asking it to be loaded by CAPI/CSP.

    If you have .NET 4.6 or higher, you should switch to cert.GetRSAPrivateKey(), which will return an object of type RSA (sometimes RSACryptoServiceProvider, sometimes RSACng, in the future maybe other things).  Also as of .NET 4.6, all of the necessary Sign/Verify/Encrypt/Decrypt methods are present on the RSA base class; so you should rarely ever need to cast the resulting object to anything more specific.

    Since many libraries assume that the only working RSA implementation is RSACryptoServiceProvider, you might run into problems passing those objects around.  But hopefully whatever libraries you use that you run into problems with have a bug reporting mechanism where you can try to get them to change.

    • Proposed as answer by Rosdi Kuat Wednesday, April 11, 2018 2:22 PM
    Sunday, March 13, 2016 4:41 PM
  • This is what worked for me but had another problem with the same error.  I was running PowerShell as administrator and using the New-SelfSignedCertificate command to generate a cert and put it into the LocalMachine store.

    I had everything working yesterday and then today I started getting the "Invalid Provider Type Specified" error again.  I'm on a different machine from yesterday and thought that maybe I was not creating the certificate properly.

    And then I realized that I needed to be running Visual Studio as administrator so that it could access the certificate in the store because it needed the private key to sign an XML file.  D'oh!  Strange that I didn't get a permission denied error.  I was able to get the certificate from the store but wasn't able to retrieve the private key.

    Hope this helps someone else.


    Regards, David Totzke

    Monday, February 27, 2017 6:18 PM