c# - .NET Framework x509Certificate2 Class, HasPrivateKey == true && PrivateKey == null? -
i'm attempting work x509 certificate imported currentuser keystore on windows 10 computer using "certificates" snap-in of mmc. same procedure has been tested on windows 8.1 computer same result.
using standard powershell pki module, i'm getting x509certificate2 object using get-item:
$my_cert = get-item cert:\currentuser\my\adaa82188a17thumbprintxxxxxxxxxxx
the output of $my_cert | fl *
follows:
pspath : microsoft.powershell.security\certificate::currentuser\my\xxxxxxxxxxxxxxxxxxx psparentpath : microsoft.powershell.security\certificate::currentuser\my pschildname : xxxxxxxxxxxxxxxxxxx psdrive : cert psprovider : microsoft.powershell.security\certificate psiscontainer : false enhancedkeyusagelist : {secure email (1.3.6.1.5.5.7.3.4), ip security user (1.3.6.1.5.5.7.3.7), encrypting file system (1.3.6.1.4.1.311.10.3.4), document signing (1.3.6.1.4.1.311.10.3.12)...} dnsnamelist : {my name} sendastrustedissuer : false enrollmentpolicyendpoint : microsoft.certificateservices.commands.enrollmentendpointproperty enrollmentserverendpoint : microsoft.certificateservices.commands.enrollmentendpointproperty policyid : {d52c406f-c279-4bf2-b7c2-ee704290db3e} archived : false extensions : {system.security.cryptography.oid, system.security.cryptography.oid, system.security.cryptography.oid, system.security.cryptography.oid...} friendlyname : issuername : system.security.cryptography.x509certificates.x500distinguishedname notafter : 4/15/2017 2:15:16 pm notbefore : 4/15/2016 2:15:16 pm hasprivatekey : true privatekey : publickey : system.security.cryptography.x509certificates.publickey rawdata : {56, 130, 19, 252...} serialnumber : 4f0000002f700000000000000000000000 subjectname : system.security.cryptography.x509certificates.x500distinguishedname signaturealgorithm : system.security.cryptography.oid thumbprint : xxxxxxxxxxxxxxxxxxx version : 3 handle : 2241663016272 issuer : cn=issuing ca, dc=my, dc=domain, dc=us subject : e=my.name@my.domain.us, cn=my name
so hasprivatekey == true, privatekey == null. i've been trying figure out how gain access private key perform encryption , decryption. examples i've seen online seem indicate privatekey property of x509certificate2 class should readily available, apparently i've missed something.
i've read similar questions here, such empty privatekey in x509certificate2, none seem resolve issue. i've read eight tips working x.509 certificates in .net paul stovell, enlightening, didn't help. did me verify private key exists in correct place and, far can tell, correct permissions referenced x509certificate2 class:
c:\users\my.name\appdata\roaming\microsoft\systemcertificates\my\keys
the name of key file matches subject key identifier on certificate.
edit:
the output of certutil -user -store "serial number"
is:
serial number: 4f000000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx issuer: cn=issuing ca, dc=my, dc=domain, dc=us notbefore: 4/15/2016 2:15 pm notafter: 4/15/2017 2:15 pm subject: e=my.name@my.domain.us, cn=my name non-root certificate template: userv1, user v1 cert hash(sha1): ad ab 82 18 8a 17 4d 75 11 04 48 7c 43 43 d4 05 b9 74 c8 4c key container = te-userv1-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx unique container name: fcbba1aa0xxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx provider = microsoft software key storage provider encryption test passed certutil: -store command completed successfully.
what "key" piece of information missing here? why isn't private key conveniently referenced x509certificate2 object? how gain access it?
this may indicate 1 of following:
1) private key stored in key storage provider (rather legacy crypto service provider) poorly supported .net , not supported privatekey
property of x509certificate2
class @ all. can check running following command:
certutil -user -store "<certserialnumber>"
2) private key missing.
hasprivatekey
property doesn't necessary reflect actual picture , may true
non-existent keys or false
existing keys. run certutil command above make sure if key presented.
in case if private key presented, bindings broken, can try restore bindings running following command:
certutil -user -repairstore "<certserialnumber>"
Comments
Post a Comment