X509Certificate.CreateFromCertFile - the specified network password is not correct

Question

I have a .NET application that I want to use as a client to call an SSL SOAP web service. I have been supplied with a valid client certificate called foo.pfx . There is a password on the certificate itself.

I've located the certificate at the following location: C:\\certs\\foo.pfx

To call the web service, I need to attach the client certificate. Here's the code:

public X509Certificate GetCertificateFromDisk(){
    try{             

       string certPath = ConfigurationManager.AppSettings["MyCertPath"].ToString(); 
       //this evaluates to "c:\\certs\\foo.pfx". So far so good.

       X509Certificate myCert = X509Certificate.CreateFromCertFile(certPath);
       // exception is raised here! "The specified network password is not correct" 

       return cert;

     }
    catch (Exception ex){    
        throw;
     }
}

It sounds like the exception is around the .NET application trying to read the disk. The method CreateFromCertFile is a static method that should create a new instance of X509Certificate. The method isn't overridden, and has only one argument: the path.

When I inspect the Exception, I find this:

_COMPlusExceptionCode = -532459699
Source=mscorlib

Question: does anyone know what the cause of the exception "The specified network password is not correct" ?

Answer 1

Turns out that I was trying to create a certificate from the .pfx instead of the .cer file.

Lesson learned...

• .cer files are an X.509 certificate in binary form. They are DER encoded .
• .pfx files are container files . Also DER encoded. They contain not only certificates, but also private keys in encrypted form.

Answer 2

You might need to user X509Certificate2() with a parameter of X509KeyStorageFlags.MachineKeySet instead. This fixed a similar issue we had. Credit to the original website that suggested this: http://vdachev.net/2012/03/07/c-sharp-error-creating-x509certificate2-from-a-pfx-or-p12-file-in-production/

Quoting:

Cause

The cause of the problem doesn't seem to have much to do with the error messages. For some reason the constructor is trying to get access to the private key store although the private key is in stored in the file being opened. By default the user key store is used but ASP.NET (and probably non-interactive Windows services in general) are not allowed to open it. Chances are the user key store for the selected account doesn't even exist.

Solution

One thing you could try is creating a user key store by logging into the account and importing a certificate in its Personal store (and then remove it again).

Another solution is to pass an additional parameter to the constructor – a flag indicating the private keys are (supposed to be) stored in the local computer – X509KeyStorageFlags.MachineKeySet, like this: var certificate = new X509Certificate2(fileName, password, X509KeyStorageFlags.MachineKeySet);

For a PFX with no password, then password can be specified as string.Empty .

See also https://stackoverflow.com/a/8291956/130352

Answer 3

Depending on your situation you probably need to install the certificate on the server first to get the trust level up before you export the .cer file.

I had to do this for a similar project and here were my notes on how it was accomplished.

Replace the Foo.cer with an export of the certificate installed on the server. (Install the cert from the pfx file and then export it to a cer file.)

• Command for IIS6 to allow IIS_WPG group access to the cert key. Need to install winhttpcertcfg (You can follow the link below to grab your own copy).

  C:\\Program Files\\Windows Resource Kits\\Tools>winhttpcertcfg -i (Path to pfx file, eg. e:\\Certs\\Foo.pfx) -c LOCAL_MACHINE\\My -a IIS_WPG -p (Password for pfx file)

• Spits out key info and grants privilege

  Granting private key access for account:

   (SERVERNAME)\\IIS_WPG 

Download WinHttpCertCfg.msi here that installs the exe.

More info on how to use the cert config can be found here .

Then it just goes back to how you are doing your cert push.

//Cert Challenge URL 
Uri requestURI = new Uri("https://someurl");

//Create the Request Object
HttpWebRequest pageRequest = (HttpWebRequest)WebRequest.Create(requestURI);

//After installing the cert on the server export a client cert to the working directory as Foo.cer
string certFile = MapPath("Foo.cer");
X509Certificate cert = X509Certificate.CreateFromCertFile(certFile);


//Set the Request Object parameters
pageRequest.ContentType = "application/x-www-form-urlencoded";
pageRequest.Method = "POST";
pageRequest.AllowWriteStreamBuffering = false;
pageRequest.AllowAutoRedirect = false;
pageRequest.ClientCertificates.Add(cert);

This how I passed the cert but not sure exactly what you are needing to do with your cert so this might not be the same for you.

Answer 4

当您尝试在其中一个OS存储中导入的证书已存在于该存储中时，也会返回“指定的网络密码不正确”错误消息。

Answer 5

In my case I was trying to run in the Private Application mode and I got the same error.

The specified network password is not correct

The PrivateAuthenticator constructor (in Xero.Api.Example.Applications.Private ) was trying to import the certificate assuming there is no password defined during the creation of the certificate.

_certificate = new X509Certificate2();
_certificate.Import(certificatePath);

Then I changed the import to use an overload method which uses the password,

_certificate.Import(certificatePath, "mypasswordusedtocreatethecertificate",  X509KeyStorageFlags.MachineKeySet);

Answer 6

You might need to X509KeyStorageFlags.MachineKeySet.

I am using certificate from web job.

Answer 7

在我的例子中，在应用程序池中将Identity更改为NetworkService解决了这个问题。