X509Certificate.CreateFromCertFile - the specified network password is not correct
https://stackoverflow.com/questions/899991
-
23-08-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a .NET application that I want to use as a client to call an SSL SOAP web service. I have been supplied with a valid client certificate called foo.pfx. There is a password on the certificate itself.
I've located the certificate at the following location: C:\certs\foo.pfx
To call the web service, I need to attach the client certificate. Here's the code:
public X509Certificate GetCertificateFromDisk(){
try{
string certPath = ConfigurationManager.AppSettings["MyCertPath"].ToString();
//this evaluates to "c:\\certs\\foo.pfx". So far so good.
X509Certificate myCert = X509Certificate.CreateFromCertFile(certPath);
// exception is raised here! "The specified network password is not correct"
return cert;
}
catch (Exception ex){
throw;
}
}
It sounds like the exception is around the .NET application trying to read the disk. The method CreateFromCertFile is a static method that should create a new instance of X509Certificate. The method isn't overridden, and has only one argument: the path.
When I inspect the Exception, I find this:
_COMPlusExceptionCode = -532459699
Source=mscorlib
Question: does anyone know what the cause of the exception "The specified network password is not correct" ?
Solution
Turns out that I was trying to create a certificate from the .pfx instead of the .cer file.
Lesson learned...
- .cer files are an X.509 certificate in binary form. They are DER encoded.
- .pfx files are container files. Also DER encoded. They contain not only certificates, but also private keys in encrypted form.
OTHER TIPS
You might need to user X509Certificate2() with a parameter of X509KeyStorageFlags.MachineKeySet instead. This fixed a similar issue we had. Credit to the original website that suggested this: http://vdachev.net/2012/03/07/c-sharp-error-creating-x509certificate2-from-a-pfx-or-p12-file-in-production/
Quoting:
Cause
The cause of the problem doesn’t seem to have much to do with the error messages. For some reason the constructor is trying to get access to the private key store although the private key is in stored in the file being opened. By default the user key store is used but ASP.NET (and probably non-interactive Windows services in general) are not allowed to open it. Chances are the user key store for the selected account doesn’t even exist.
Solution
One thing you could try is creating a user key store by logging into the account and importing a certificate in its Personal store (and then remove it again).
Another solution is to pass an additional parameter to the constructor – a flag indicating the private keys are (supposed to be) stored in the local computer – X509KeyStorageFlags.MachineKeySet, like this:
var certificate = new X509Certificate2(fileName, password, X509KeyStorageFlags.MachineKeySet);
For a PFX with no password, then password can be specified as string.Empty.
Depending on your situation you probably need to install the certificate on the server first to get the trust level up before you export the .cer file.
I had to do this for a similar project and here were my notes on how it was accomplished.
Replace the Foo.cer with an export of the certificate installed on the server. (Install the cert from the pfx file and then export it to a cer file.)
Command for IIS6 to allow IIS_WPG group access to the cert key. Need to install
winhttpcertcfg(You can follow the link below to grab your own copy).C:\Program Files\Windows Resource Kits\Tools>winhttpcertcfg -i (Path to pfx file, eg. e:\Certs\Foo.pfx) -c LOCAL_MACHINE\My -a IIS_WPG -p (Password for pfx file)
Spits out key info and grants privilege
Granting private key access for account:
(SERVERNAME)\IIS_WPG
Download WinHttpCertCfg.msi here that installs the exe.
More info on how to use the cert config can be found here.
Then it just goes back to how you are doing your cert push.
//Cert Challenge URL
Uri requestURI = new Uri("https://someurl");
//Create the Request Object
HttpWebRequest pageRequest = (HttpWebRequest)WebRequest.Create(requestURI);
//After installing the cert on the server export a client cert to the working directory as Foo.cer
string certFile = MapPath("Foo.cer");
X509Certificate cert = X509Certificate.CreateFromCertFile(certFile);
//Set the Request Object parameters
pageRequest.ContentType = "application/x-www-form-urlencoded";
pageRequest.Method = "POST";
pageRequest.AllowWriteStreamBuffering = false;
pageRequest.AllowAutoRedirect = false;
pageRequest.ClientCertificates.Add(cert);
This how I passed the cert but not sure exactly what you are needing to do with your cert so this might not be the same for you.
The 'the specified network password is not correct' error message is also returned when the certificate you are trying to import in one of the OS stores is already present in that store.
In my case I was trying to run in the Private Application mode and I got the same error.
The specified network password is not correct
The PrivateAuthenticator constructor (in Xero.Api.Example.Applications.Private) was trying to import the certificate assuming there is no password defined during the creation of the certificate.
_certificate = new X509Certificate2();
_certificate.Import(certificatePath);
Then I changed the import to use an overload method which uses the password,
_certificate.Import(certificatePath, "mypasswordusedtocreatethecertificate", X509KeyStorageFlags.MachineKeySet);
You might need to X509KeyStorageFlags.MachineKeySet.
I am using certificate from web job.
In my case changing Identity to NetworkService in Application Pool solved this problem.
