CryptographicException: Access denied - How to give access on User store?

Question

I am trying to load a certificate from a pfx file in a WPF application and it gives me an access denied error.

using (FileStream stream = System.IO.File.OpenRead(certificatePath))
{
    using (BinaryReader reader = new BinaryReader(stream))
    {
        buffer = reader.ReadBytes((int)stream.Length);
    }
}

X509Certificate2 certificate = new X509Certificate2(buffer, password);

System.Security.Cryptography.CryptographicException: Access denied.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password) at HelloWorld.HelloClient.Models.Infrastructure.ReadCertificateFromPfxFile(String certificatePath, String password)

The last line in snippet is causing an exception, and if I run it as an administrator it works fine. The issue seems to be the default constructor of X509Certificate2 tries to put private key in the user store. I am not using web application. this post doesn't resolve my issue. I think the current user might not have access to his own private key store. But how can I give that access?

Answer 1

I hit this error running kestrel under .net 9.

Adding to the comment by crane, if you can convert the pfx file to a p12 file it seems to resolve the error.

If you have openssl installed you can use that to convert the pfx file.

.\openssl pkcs12 -in c:\certs\cert.pfx -out c:\certs\cert.pem -passin pass:FooBlaa -passout pass:FooBlaa
.\openssl pkcs12 -export -in c:\certs\cert.pem -out c:\certs\cert.p12 -passin pass:FooBlaa -passout pass:FooBlaa

Answer 2

Leaving this here incase it helps someone:

In our case this was caused by a was a misconfiguration in our CSP provider while importing PFX.

In the ProviderName key we had a value of Microsoft Strong Cryptographic Provider, changing this to Microsoft Software Key Storage Provider, Microsoft Enhanced RSA or AES Cryptographic Provider seem to fix this.

Answer 3

A possible fix - If somebody is using visual studio by any chance and face this issue, make sure that you are running visual studio with admin rights and if admin has write permission for the related directory.

Answer 4

Getting the same CryptographicException: Access denied error when trying to load X509Certificate2, the solution is to grant read/write to the *MachineKeys * directory.

1. open a CMD or Powershell with Admin priv.
2. execute below command to grant everyone read/write: icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /inheritance:r /grant Administrators:F /grant:r Everyone:RW

More about permission on this dir: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/default-permissions-machinekeys-folders

Answer 5

I found it's easier to use the p12 certificate because it doesn't use the key store. I used firefox to convert pfx to p12.

Answer 6

In my situation, it was due to the lack of write access to the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.

My user was having only having the Read Access and once I granted the Write access it worked fine.

Answer 7

Posting a fix if someone looking for a solution for similar issue. I ran sysinternal process monitor and realized the constructor call was creating a key in machine key folder and gave user access to write on machine key.

Answer 8

Just in case it helps someone, "CryptographicException: Access denied" can be caused by lack of space in the disc, that was my case.