How to load another's certificate to my local certificate store?

Question

I have a certificate (.pem file) that is distributed by another service vendor. I downloaded the certificate from the vendor and saved it to my local drive. In my WCF client, I am trying to load this certificate from the local drive and it is giving me an error “The private key is not present in the X.509 certificate” when communicating with the service. I was told that I need to load this certificate to my local certificate store to resolve this error. Can anyone provide some directions? Thanks!

I have the below function to load certificate from the path specified in the file parameter.

public static X509Certificate LoadCertificate(string file)
    {
        try
        {
            return X509Certificate.CreateFromCertFile(file);
        }
        catch (System.Security.Cryptography.CryptographicException)
        {
            string filestr = File.ReadAllText(file);

            StringBuilder sb = new StringBuilder(filestr.Remove(0, filestr.IndexOf("-----BEGIN CERTIFICATE-----")));

            sb.Replace("-----BEGIN CERTIFICATE-----", "");
            sb.Replace("-----END CERTIFICATE-----", "");
            //Decode 
            try
            {        //see if the file is a valid Base64 encoded cert
                byte[] certBytes = Convert.FromBase64String(sb.ToString());

                return new X509Certificate(certBytes);
            }
            catch (System.FormatException)
            {
                throw;
            }
        }
    }

In my WCF client, it is loading the certificate that was created from LoadCertificate() function.

    public X509Certificate Certificate { get; set; }

    ClientCredentials loginCredentials = new ClientCredentials();
    loginCredentials.UserName.UserName = this.UserId;
    loginCredentials.UserName.Password = this.Password;
    loginCredentials.ClientCertificate.Certificate = new X509Certificate2(this.Certificate);

Answer 1

Your code says you are trying to use the certificate to authenticate the client to the server , in addition to providing a username and a password. That's pretty bizarre but I guess possible. You will need the private keys associated with that certificate for that purpose, as the client will need them to encrypt the communication so the server can use the certificate to decrypt and verify that the client is legit. A .pem file can contain both public and private keys but maybe the one that was sent to you does not?

My guess is that really you only wanted the client to connect to a server that is using this certificate to identity itself and encrypt the communication. If so, all the client needs to do is import the certificate locally so it can compare against this local version when the server sends it when the client first connects to it.

Do to that, Microsoft made double clicking on a .pem file in a file browser start the certificate import wizard. But in case that does not work for you, here is the hard way:

• Start - run - mmc
• File - Add/Remove snap-in
• Select "certificates" - click Add - choose Computer Account - Local computer

• Close snap-in window with OK

• Now browse to Certificates (Local computer) - Personal - Certificates

• Right click - All Tasks - Import