Exception when trying to read a PrivateKey from Windows certstore

Question

I created a private and public key pair using OpenSSL and then I generated a .p12 file to import it into my Windows certstore. The key pair and .p12 files were created in Windows XP and I am trying to use it in Windows 7. I am trying to access the key from within a Web Service (.svc) in IIS. If I try to read the private key from a standalone app, I can do it without any problems, but when I try to read it from my web app, I always get the following exception:

'cert.PrivateKey' threw an exception of type 'System.Security.Cryptography.CryptographicException'

And this is the whole stacktrace:

en System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
en System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
en System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
en System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
en System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
en ValidKeyDll.ValidKey.getLlaveDeAlmacen(String almacen, Boolean esLlavePrivada) en C:\Users\desarrollo\Documents\ValidKeyDll\ValidKeyDll\ValidKey.cs:línea 58
en ValidKeyDll.ValidKey.firmaCadena(String almacen, String cadenaFirmar) en C:\Users\desarrollo\Documents\ValidKeyDll\ValidKeyDll\ValidKey.cs:línea 117

And this is my part of the code that reads the key:

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
RSACryptoServiceProvider csp = null;
foreach (X509Certificate2 cert in store.Certificates)
{
   if (cert.Subject.Contains(almacen))
   {
      if (cert.NotAfter.CompareTo(System.DateTime.Now) <= 0)
         throw new CertificadoVencidoException();

      if (isPrivateKey)
         csp = (RSACryptoServiceProvider)cert.PrivateKey;
      else
         csp = (RSACryptoServiceProvider)cert.PublicKey.Key;

      break;
   }
}

I suppose it has to do with some kind of permission issue, but I caanot find out what it is... Please if anyone has any suggestions it will be greatly appreciated.

THINGS TO CONSIDER:

• The private key IS exportable.
• The user IIS_IUSRS has permissions on the certificate.

Answer 1

I finally cracked down the problem, but couldn't post the answer until now (because I'm a beginer):

The thing is that I was importing the .p12 the wrong way. I was double clicking it and following the steps. What this did was to put the certificate in the Current User - Personal certificate store, so I thought that by just moving the cert from that store to the Local Machine store was enough... but oh surprise! it was not. After much revision, I found that the IIS has the capability of importing certificates from within itself, and that this puts the certificate directly in the Local Machine cert store. If anyone has the some problem or just wants to see how to do this, these are the steps:

• Open the IIS.
• Go to the Server Certificates (sorry if you don't find the exact words, my Windows is in Spanish)
• Select Import
• Select your file. If your file is a .p12 like mine, then select to view *.*
• Type in the password
• Accept... and voilá

Answer 2

Yes, it is a problem with permissions. I have struggled with this some time ago. Currently I use winhttpcertcfg to add appropriate permissions.

You should also check this link: http://benoit808.wordpress.com/2008/10/31/cryptographicexception-the-handle-is-invalid/.

There is also article about it http://www.stevefenton.co.uk/Content/Blog/Date/201101/Blog/X509-Certificates-On-Windows-Server-2003/. You may also need to add permissions for IIS_WPG and IUSR account (the article doesn't mention it).