Service account cannot load the X509Certificate from windows certificate store

Question

All, I run into an issue where the service account my ASP.NET web forms application (.Net Framework 4.6.1) runs under cannot load the X509Certificate(.pfx) from the personal store on the windows 2012 R2 server .Here is how I imported the certificate to the certificate store I Logged into the server using the service account(domain\\username) ,used mmc snap in to import the certificate to Current User Personal Certificate Store (please see screenshot at the end)

This is the code I am using to load the certificate in C#.But the certificate is null

    public X509Certificate2 Load()
    {
        X509Certificate2 x509Certificate = null;
        var store = new X509Store(StoreName.My,StoreLocation.CurrentUser);
        string thumbPrint = StripTheSpacesAndMakeItUpper(ConfigurationManager.AppSettings["pfxthumbPrint"]);
        store.Open(OpenFlags.ReadOnly);
        var certCollection = store.Certificates;
        foreach (var x509 in certCollection)
        {
            if (x509.Thumbprint.Equals(thumbPrint))
            {
                x509Certificate = x509;
                break;
            }
        }
        store.Close();
        return x509Certificate; 
    } 

    private string StripTheSpacesAndMakeItUpper(string thumbPrint)
    {
        if(!string.IsNullOrWhiteSpace(thumbPrint))
        {
            return Regex.Replace(thumbPrint, @"\s|\W", "").ToUpper();
        }
        return thumbPrint;
    } 

Any suggestions on why the method Load returns null ?

] 3

Answer 1

I don't know how you set the value of ConfigurationManager.AppSettings["pfxthumbPrint"] . I guess you double clicked the certificate in your CurrentUser store and copied the thumbprint from the Details tab, right? If that is the case, you copied also one invisible character from the beginning of the thumbprint.

The saddest thing is that this character (I don't know what it is) is not visible in your app.config/web.config. The only way to get rid of if is to delete the first quote character with the first character of the thumbprint and type them in again manually . Or delete entire thumbprint and the quotes and type them again if you wish.

Answer 2

Instead of

if (x509.Thumbprint.Equals(x509CertificateFriendlyName))

Shouldn't it be

 if (x509.Thumbprint.Equals(thumbPrint))

...?

Also, you appear to have x509Certificate declared as a local variable and then you discard it. Did you intend to assign the value to an instance variable perhaps? I don't even see a return statement.

Also, you're not disposing your store, although that probably isn't the cause of your issue.

Here's a different version that addresses these issues, and will also eliminate any invisible characters in the configuration entry (see pepo's answer for why).

public X509Certificate2 Load()
{
    var thumbPrintFromConfig = ConfigurationManager.AppSettings["pfxthumbPrint"]
    var thumbPrint = Regex.Replace(thumbPrintFromConfig.ToUpper(),"[^A-F0-9]",""); //Keep only hex digits
    return Load(thumbPrint);
}

private X509Certificate2 Load(string thumbPrint)
{
    using (var store = new X509Store(StoreName.My,StoreLocation.CurrentUser))
    {
        store.Open(OpenFlags.ReadOnly);
        var cert = store
            .Certificates
            .OfType<X509Certificate2>()
            .Where(x => x.Thumbprint == thumbPrint)
            .Single();
        store.Close();
        return cert;
    } 
}