Home Dashboard Directory Help
Search

SSL certificates won't load into an IIS worker process unless "LoadUserProfile" is enabled by Dmitry Me


Status: 

Active


1
0
Sign in
to vote
Type: Bug
ID: 790360
Opened: 6/18/2013 2:09:08 AM
Access Restriction: Public
1
Workaround(s)
view
0
User(s) can reproduce this bug

Description

I have an ASP.NET application that runs inside IIS 7 on Windows Server 2008 SP1 with the application pool configured to run under a local user belonging to "Users" local group. I have a .pfx file with an SSL certificate with private key. The following code:

    var data = File.ReadAllBytes(pathToPfxFile);
    var cert = new X509Certificate2(data, password);

yields "System.Security.Cryptography.CryptographicException Object was not found." unless I reconfigure IIS pool to have "LoadUserProfile" enabled.

This is a big problem.

First, why does loading a certificate from a file (not cert storage) depend on user profile being loaded. Second, why is the message so obscure and useless - how should I have figured out how to resolve the issue?
Details
Sign in to post a comment.
Posted by Microsoft on 6/20/2013 at 10:28 PM
Thank you for your feedback. When you load a PFX file with X509Certificate2, the private key is placed in either the user or machine key store. By default, the user key store is chosen, which is only available with the user profile loaded. If your process has administrative privileges, you can specify the machine key store by using new X509Certificate2(data, password, X509KeyStorageFlags.MachineKeySet).

At this time, we will not be able to make a change to improve the experience for this error. However, we will consider it for a future version.
Posted by Microsoft on 6/19/2013 at 2:10 AM
Thanks for your feedback.

We are rerouting this issue to the appropriate group within the Visual Studio Product Team for triage and resolution. These specialized experts will follow-up with your issue.
Posted by Microsoft on 6/18/2013 at 2:50 AM
Thank you for your feedback, we are currently reviewing the issue you have submitted. If this issue is urgent, please contact support directly(http://support.microsoft.com)
Sign in to post a workaround.
Posted by Microsoft on 6/20/2013 at 10:27 PM
Thank you for your feedback. When you load a PFX file with X509Certificate2, the private key is placed in either the user or machine key store. By default, the user key store is chosen, which is only available with the user profile loaded. If your process has administrative privileges, you can specify the machine key store by using new X509Certificate2(data, password, X509KeyStorageFlags.MachineKeySet).

At this time, we will not be able to make a change to improve the experience for this error. However, we will consider it for a future version.