Importing a PFX file using X509Certificate2 from ASP fails   

Hi all!

I have a problem while importing a pfx file (or a pfx-byte-array) with 
X509Certificate2 constructor.
When I call

X509Certificate2 cert = new X509Certificate2("a.pfx", "password");

I get the following Exception:

+++++++++++++++++++++++++
System.Security.Cryptography.CryptographicException: The system cannot 
find the file specified
    at 
System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 
hr)
    at 
System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromFile(String 
fileName, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, 
SafeCertContextHandle& pCertCtx)
    at 
System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromFile(String 
fileName, Object password, X509KeyStorageFlags keyStorageFlags)
    at 
System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String 
fileName, String password)
+++++++++++++++++++++++++++

The problem occurs, because the asp.net application runs under a 
different account as "Networkservice", so this account hasn't a loaded 
userprofile.
The X509Certificate2-constructor couldn't access the Usercertificates- 
store.
This problem is also descriped in KB948154
(http://support.microsoft.com/kb/948154) But the descriped workaround in 
this article is not applicable for me.

Her the workaround-text:
############################
1. An administrator on the machine where the ASP.NET/COM+ application 
runs should install the certificate in the machine certificate store, 
called the "Local Computer" store.  This should be done when the 
ASP.NET/COM+ application is installed.


2. The administrator should set the permissions on the private key 
associated with the certificate to give the ASP.NET process and the 
impersonated users access to the key.  This is needed because only the 
user account that installs the certificate or private key in the "Local 
Computer" store can later use the RSA private key associated with the 
certificate.

3. The ASP.NET/COM+ application code should use the installed 
certificate rather than attempt to install one from a PFX file.  Have 
the code locate the installed certificate using X509Store class.

    a. Use StoreLocation.LocalMachine in the constructor of X509Store.
    b. Once the store is opened, locate the desired certificate based on 
subject name programmatically using X509Certificate2Collection.Find method.

Example code will look similar to:

    X509Store store = new X509Store("My", StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

    System.Security.Cryptography.X509Certificates.X509Certificate2 newCert =
    store.Certificates.Find(X509FindType.FindBySubjectName, 
"XXXXXXXXXXXXX", false)[0];
    …

The subject name to use above in the second parameter of Find method 
will depend on the subject name of the installed certificate from p12 or 
PFX file in the Local Computer certificate store.
##############################

Has anyone a similar problem an another solution?
Thanx for all posts!

Greetings
Pat

date: Thu, 17 Jul 2008 14:22:55 +0200   author:   Patrick Sona