Invalid provider type specified when accessing X509Certificate2.PrivateKey

Today, I was attempting to digitally sign a byte array with my private key so that I could produce an event on the event bus and a consumer could ensure that the message came from me and was not modified while in transit.

public byte[] SignData(byte[] data)
{
  X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
  certStore.Open(OpenFlags.ReadOnly);

  // the DN I get is CN=name,CN=Users,DC=example,DC=com
  // but the DN on the cert has spaces after each comma
  string spacedDN = UserPrincipal.Current.DistinguishedName.Replace(",", ", ");

  X509Certificate2 cert = certStore.Certificates
    .Find(
      X509FindType.FindBySubjectDistinguishedName,
      spacedDN,
      true)
    .OfType<X509Certificate2>()
    .FirstOrDefault();

  if (null == cert) { // handle no cert }

  RSACryptoServiceProvider rsaProvider = cert.PrivateKey as RSACryptoServiceProvider;
  return rsaProvider.SignData(data, new SHA1CryptoServiceProvider());
}

When I run this as myself, I get the following exception:  
System.Security.Cryptography.CryptographicException: Invalid provider type specified.
... the stack trace boils down to ...
System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
This wasn't a terribly enlightening exception message, so I asked google and found this link and this link.  It turns out that by using the newest Certificate Templates (version 3), I am using Microsoft's new Key Storage Provider (KSP), and not the Cryptographic Storage Provider (CSP) that we normally expect.  Windows Server 2008-based certificate templates use the KSP as part of what M$ calls Cryptography Next Generation (CNG).  While .NET 4 does provide managed implementations of the CNG stuff, they are not FIPS-compliant, which is a deal-breaker for me.

So what is a FIPS-constrained boy to do?  Well, I had to delete my auto-enrollment templates that were Windows Server 2008-based and replace them with Windows Server 2003-based templates.  When you duplicate a template using the Certificate Templates MMC snap-in, it will ask you to choose between 2008-based and 2003-based.  Select 2003-based and then revoke any certs you may have issued based on the 2008-based templates.  Let auto-enrollment take its course and then you'll find that you no longer get the invalid provider exception when you access your private key.

Comments

  1. JamesCJuly 18, 2012 at 11:01 PM

    Hi John - I have been mulling over your article and just wondered if you know if KSP keys are stored here: ../Microsoft/Crypto/Keys and CSP keys are stored here: ../Microsoft/Crypto/RSA.

    I ask because I'm puzzled why a private key someone has given me keeps getting created in ../Microsoft/Crypto/Keys while I'm used to them being created here: ../Microsoft/Crypto/RSA.

    The error I get when I try to access the key in BizTalk 2010 is the same as you got.

    It's a long shot but you might know!

    ReplyDelete
    Replies
    1. UnknownSeptember 6, 2016 at 10:15 AM

      Hi James,

      I'm having the same issue with our BizTalk 2013R2 CU2 server when calling a WCF-WSHttp end-point using a certificate for the Message Security.

      Were you able to resolve this issue? If so what did you do to get it fixed.

      Thanks

      Delete
  2. John RuizSeptember 6, 2016 at 11:22 AM

    The problem for me was the template under which the certificate was issued. At the certificate authority, when you define a template, you're given the choice between 2008-based and 2003-based templates. Once you select 2003-based, you can re-issue yourself a certificate and you shouldn't have problems any longer because PrivateKey should then be accessible.

    ReplyDelete
  3. UnknownJuly 13, 2017 at 1:53 AM

    I am new to accessing the X509Certificate2.PrivateKey. I am using microsoft cryptographic storage provider(CSP).Can you tell me what exactly 2008-based and 2003-based templates.

    ReplyDelete
  4. Anbarasan14June 27, 2019 at 7:30 AM

    Nice post. Thanks for sharing.
    Spoken English Classes in Chennai Anna Nagar
    Spoken English Class in Porur
    Spoken English Class in Vadapalani
    Spoken English Class in Thiruvanmiyur
    Spoken English Class in Chennai
    Best English Speaking Classes in Mumbai
    English Speaking Course in Mumbai
    IELTS Training in Chennai
    IELTS Coaching in Chennai
    IELTS Mumbai

    ReplyDelete
  5. aivivubooking1May 12, 2021 at 6:24 AM

    Mua vé máy bay tại Aivivu, tham khảo

    Vé máy bay đi Mỹ

    vé máy bay đà nẵng về sài gòn

    vé máy bay từ tphcm ra hà nội

    vé máy bay sài gòn đà lạt pacific airlines

    gia ve may bay tphcm di quy nhon

    xe taxi sân bay nội bài

    combo hà nội đà lạt

    ReplyDelete
  6. HealthandfigureOctober 18, 2022 at 2:00 AM

    This comment has been removed by the author.

    ReplyDelete
  7. HealthandfigureOctober 18, 2022 at 2:03 AM

    Aaj mein aap ko time badhane wale condom kaun se hain unke baare mein bataunga aur kese aap condom ki help se long time tak apne sex ko enjoy kare sakte hain

    ReplyDelete

Post a Comment

Popular posts from this blog

Establishing a SSL connection to RabbitMQ using the .NET client

Image
First, I'm making the assumption that you've read, re-read, and followed the SSL tutorial on rabbitmq's website .  If you haven't done everything that it's instructed you to do (including adding your certificates to the Windows Certificate Store using certmgr), none of this code is going to work for you.  If you have, this code should "Just Work™". Here's the complete code file that works for me.  You will (obviously) need to change the names of the servers, and the thumbprint of your certificate. Note that this code only uses your client and server's certificates to establish a secure connection.  You are still logging in as guest.  I will show you how to use your client certificate to authenticate yourself below. using System; using System.Linq; using System.Security.Cryptography.X509Certificates; using System.Text; using RabbitMQ.Client; using RabbitMQ.Util; namespace RabbitSslTest {     class Program     {   ...
Read more

Join CentOS to a Windows Domain

Image
3/26/2012 update: I've now done this on CentOS 6.2 as well. Since I've had to do this a number of times in the last few months, I thought I should post this here so I can't forget it. Here's some specifics on what I'm using: Windows Server 2008 R2 As dc1.devexample.com (192.168.0.201) As Primary Domain Controller of devexample.com As Windows Server 2008 R2 forest functional level CentOS 5 / CentOS 6 As app01.devexample.com (192.168.0.203) Samba 3.5.6 / Samba 3.6.3 An internet connection. If you are not going to have an internet connection, you'll want to pre-download the files you'll need. I suggest using 'yum downloadonly' to get them. I've spun up a brand new CentOS 5.5 VM and logged in. Oh man, does anyone else just love logging into a fresh install? Is my nerd showing? Sorry! The first thing I need to do is take on great responsibility, so for that I'm going to need great power: let's add my account to the su...
Read more