Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X509Certificate2.CreateFromEncryptedPem works on my local but fails on the server using the same certs #101

Open
weirdyang opened this issue Aug 30, 2024 · 0 comments
Open

X509Certificate2.CreateFromEncryptedPem works on my local but fails on the server using the same certs #101

weirdyang opened this issue Aug 30, 2024 · 0 comments

Comments

@weirdyang
Copy link

weirdyang commented Aug 30, 2024
edited
Loading

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Create a client that authenticates with a client cert file, key file and a key file password.
Test the client in your local environment, it should work and be able to connect to the server.
Deploy the application to a server, it will throw an error at this line despite using the same client cert file, key file and key file password
X509Certificate2.CreateFromEncryptedPemFile(certFile, keyFile, keyFilePassword);

Any log messages given by the failure

System.Security.Cryptography.CryptographicException: The EncryptedPrivateKeyInfo structure was decoded but was not successfully interpreted, the password may be incorrect.
---> Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.CngKeyLite.ImportKeyBlob(String blobType, ReadOnlySpan1 keyBlob, Boolean encrypted, ReadOnlySpan1 password)
at System.Security.Cryptography.CngPkcs8.ImportPkcs8(ReadOnlySpan1 keyBlob) at System.Security.Cryptography.CngPkcs8.ImportEncryptedPkcs8PrivateKey(ReadOnlySpan1 password, ReadOnlySpan1 source, Int32& bytesRead) --- End of inner exception stack trace --- at System.Security.Cryptography.CngPkcs8.ImportEncryptedPkcs8PrivateKey(ReadOnlySpan1 password, ReadOnlySpan1 source, Int32& bytesRead) at System.Security.Cryptography.RSAImplementation.RSACng.ImportEncryptedPkcs8PrivateKey(ReadOnlySpan1 password, ReadOnlySpan1 source, Int32& bytesRead) at Internal.Cryptography.PemKeyImportHelpers.ImportEncryptedPem[TPass](ReadOnlySpan1 input, ReadOnlySpan1 password, ImportEncryptedKeyAction1 importAction)
at System.Security.Cryptography.RSA.ImportFromEncryptedPem(ReadOnlySpan1 input, ReadOnlySpan1 password)
at System.Security.Cryptography.X509Certificates.X509Certificate2.ExtractKeyFromEncryptedPem[TAlg](ReadOnlySpan1 keyPem, ReadOnlySpan1 password, Func1 factory, Func2 import)
at System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromEncryptedPem(ReadOnlySpan1 certPem, ReadOnlySpan1 keyPem, ReadOnlySpan`1 password)

Expected/desired behavior

To be able to use the same set of certs for both environments

Language

C#

OS and Version?

Local: Windows 10 Visual Studio 2019
Deployed: Windows Server 2016 IIS

Mention any other details that might be useful

The fix was to set the application pool identity to Local System, why does this work?

Thanks! We'll be in touch soon.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@weirdyang