Does WCF in .NET 4.6.2 support server certificates with PK in CNG KSP?

Question

On Windows, a TLS server certificate (which sits in a certificate store) comes with a private key (PK) which sits either in a CSP keystore or CNG keystore. Where the PK ends up, can be specified when importing the certificate (that is, on recent Windows versions), for example using the -sp (subject's provider) parameter to makecert .

Now if the provider isn't specified, the defaults aren't friendly. The PK ends up in the CNG KSP and will be unusable by WCF.

Microsoft says that " .NET Framework 4.6.1 and earlier versions do not support these certificates because they use the legacy CryptoAPI to handle CNG/KSP certificates. The use of these certificates with .NET Framework 4.6.1 and earlier versions will cause an exception. "

However, I'm seeing the exact same behavior between .NET framework 4.6.1 and .NET framework 4.6.2 installed on the server side of the connection. What happens is that the server appears (per its own logs) to be happily listening on the designated port, but the port is not open (per netstat -a ). Windows event logs mentions Invalid provider type specified while the server is trying to open the port.

There's net.tcp port sharing sitting between the server and the actual port if that matters.

Is anyone running any version of .NET (using WCF) successfully with server certificates in CNG KSP? Is the Microsoft documentation above simply incorrect?

Answer 1

这是一个谈论限制的链接（链接）我成功的做法是将私钥提供程序转换为Microsoft增强加密提供程序v1.0（CryptoAPI），这解决了这个问题。