Can I use an X509Certificate2 within ASP.NET without using a certificate store?

Question

I am trying to use an X509Certificate within an ASP.NET web service within the Rackspace Cloud. I have a feeling the certificate stores on the cloud nodes maybe causing problems. I also have a question related to this with the exception that I am receiving at SslStream.AuthenticateAsClient Exception when using iPhone Apple Push Notification Provider (apns-sharp) C#

Within the apns-sharp project I was using the following code:

certificate = new X509Certificate2(p12File)

However I received an exception and changing the code to the following resolved the X509Certificate2 exception. The new code is as follows:

certificate = new X509Certificate2(p12File, String.Empty, X509KeyStorageFlags.MachineKeySet);

I would like to know if I can use an X509Certificate2 within ASP.NET without using a certificate store? Would the certificate stores be causing problems with the Rackspace Cloud nodes?

Update #1 Rackspace tell me that access to the Local Machine Certificate store is not permitted. Is there any other way to bypass using the certificate store? Maybe using a third party library?

Answer 1

The reason the first constructor doesn't work is that ASP.NET does not load the user profile store, which is the default store if you don't specify a storage location using X509KeyStorageFlags. However, the machine store is always loaded by ASP.NET, which is why the second constructor works.

I'm assuming that you intend to use the private key on the certificate for encryption or creating digital signatures (hashing), in which case you can't avoid using a certificate store as private keys can only be accessed programmatically from imported certificates, and not directly from blobs or files.

I don't think the certificate store is used if the certificate data only contains the public key (as there is no sensitive data to protect) - I've noticed that I only need to specify the machine store when I intend to work with certificates that contain a private key.

I can't comment on the Rackspace situation though - there may be issues with importing certificates in code running in a partially-trusted environment, as loading a private key container demands specific permissions that may not be granted to your assembly.

Answer 2

I have imported an X509Certificate2 from a file and have both the private key and public key available using this code:

            X509Certificate2 cert = new X509Certificate2();
            // Key Location: the physical file location (C:\cert.pfx)
            // Key Password: the password for the certificate
            cert.Import(keyLocation, keyPassword, X509KeyStorageFlags.Exportable);

My experience was that the key to having it work was the X509KeyStorageFlags.Exportable. Without that, I could not access the private key.