Jirka Hanika
Jirka Hanika

Reputation: 13529

Does WCF in .NET 4.6.2 support server certificates with PK in CNG KSP?

On Windows, a TLS server certificate (which sits in a certificate store) comes with a private key (PK) which sits either in a CSP keystore or CNG keystore. Where the PK ends up, can be specified when importing the certificate (that is, on recent Windows versions), for example using the -sp (subject's provider) parameter to makecert.

Now if the provider isn't specified, the defaults aren't friendly. The PK ends up in the CNG KSP and will be unusable by WCF.

Microsoft says that ".NET Framework 4.6.1 and earlier versions do not support these certificates because they use the legacy CryptoAPI to handle CNG/KSP certificates. The use of these certificates with .NET Framework 4.6.1 and earlier versions will cause an exception."

However, I'm seeing the exact same behavior between .NET framework 4.6.1 and .NET framework 4.6.2 installed on the server side of the connection. What happens is that the server appears (per its own logs) to be happily listening on the designated port, but the port is not open (per netstat -a). Windows event logs mentions Invalid provider type specified while the server is trying to open the port.

There's net.tcp port sharing sitting between the server and the actual port if that matters.

Is anyone running any version of .NET (using WCF) successfully with server certificates in CNG KSP? Is the Microsoft documentation above simply incorrect?

Upvotes: 3

Views: 1164

Answers (1)

crossroad
crossroad

Reputation: 65

Here is a link that talks about the limitations (link) What I was successful on doing was to convert the private key provider to a Microsoft Enhanced Cryptographic Provider v1.0 (CryptoAPI) this resolved the issue.

Upvotes: 2

Related Questions