X509Certificate2 ctor with cer file

Question

I'm facing some issue with 2-way ssl configuration in .Net. Somehow, when I create X509Certificate2 object using .cer file and password in the constructor, the password is ignored (I gave wrong password and it worked - the response was successfully returned). In the other hand, when I use .p12 file the behavior is as expected (wrong password causes unsuccessful result)

Any ideas?

Thanks.

Answer 1

The .cer file contains (it is the common case) only the X509 certificate in an unencrypted form. In that case, no password is required to decode the certificate. I suppose the X509Certificate2 constructor tries to determine the encoding format of the Byte[] parameter and ignore the password parameter when it is not required. And it is more than likely that, after being created, the PrivateKey property of the object is null.

When loading a .cer file you should use the constructor which takes only 1 Byte[] parameter. The documentation of that constructor clearly specifies the supported data formats:

This constructor creates a new X509Certificate2 object using certificate information from a byte array. The byte array can be binary (DER) encoded or Base64-encoded X.509 data. The byte array can also be a PKCS7 (Authenticode) signed file; the signer certificate is used to create the object.

The PKCS#12 format (.p12 or .pfx file) is a container format for certificates and private keys. In that case the password is required to decrypt the encrypted private key. Actually the behaviour with a PKCS#12 file is specified in the The X509Certificate2 constructor documentation:

This constructor is used with PKCS12 (PFX) files that contain the certificate's private key. Calling this constructor with the correct password decrypts the private key and saves it to a key container.