Private key of certificate in certificate-store not readable

Question

I think I've got the same issue like this guy, but I wasn't as lucky as him/her since the solution provided doesn't work for me.

The solution provided looks for files on the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys (not in sub directories) and C:\Users\[Username]\AppData\Roaming\Microsoft\Crypto\RSA (and subdirectories) However since I want the setup to install the application to all users, the custom action is running under the SYSTEM-User, which leads the files beeing actually created in C:\ProgramData\Application Data\Microsoft\Crypto\RSA\S-1-5-18.

When running an "normal" application as Admin (right click -> Run as Admin) executing exactly the same code, a file is created at C:\Users\[Username]\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1154405193-2177794320-4133247715-1000.

The certificate generated using the WIX custom action seems to not have a private key ("The key set does not exists"), while the cert generated by the "normal" application does.

When looking at the permissions of the files, they seem to be alright, even if they differ (the working one does include the SYSTEM user), even after adding the SYSTEM one to the ("non-working")file I am not able to read the private key, same error here.

Then I used the FindPrivateKey util the find the corresponding file but all I get is "Unable to obtain private key file name".

Ok whats going one here? Where does Windows store the private keys for certificates stored by the SYSTEM user? Maybe there isn't any private key file created? Why?

Answer 1

I got a solution by googleing up nearly everything ... as I understand there are some things to do:

1. Generate a X509Certificate2
2. Make sure the private key container is persistent (not temporary)
3. Make sure to have acccess rules for authenticated users, so they can see the private key

So the final code a came up with is the following:

X509Certificate2 nonPersistentCert = CreateACertSomehow();

// this is only required since there's no constructor for X509Certificate2 that uses X509KeyStorageFlags but a password
// so we create a tmp password, which is not reqired to be secure since it's only used in memory
// and the private key will be included (plain) in the final cert anyway
const string TMP_PFX_PASSWORD = "password";

// create a pfx in memory ...
byte[] nonPersistentCertPfxBytes = nonPersistentCert.Export(X509ContentType.Pfx, TMP_PFX_PASSWORD);

// ... to get an X509Certificate2 object with the X509KeyStorageFlags.PersistKeySet flag set
X509Certificate2 serverCert = new X509Certificate2(nonPersistentCertPfxBytes, TMP_PFX_PASSWORD,
    X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable); // use X509KeyStorageFlags.Exportable only if you want the private key to tbe exportable

// get the private key, which currently only the SYSTEM-User has access to
RSACryptoServiceProvider systemUserOnlyReadablePrivateKey = serverCert.PrivateKey as RSACryptoServiceProvider;

// create cspParameters
CspParameters cspParameters = new CspParameters(systemUserOnlyReadablePrivateKey.CspKeyContainerInfo.ProviderType, 
    systemUserOnlyReadablePrivateKey.CspKeyContainerInfo.ProviderName, 
    systemUserOnlyReadablePrivateKey.CspKeyContainerInfo.KeyContainerName)
{
    // CspProviderFlags.UseArchivableKey means the key is exportable, if you don't want that use CspProviderFlags.UseExistingKey instead
    Flags = CspProviderFlags.UseMachineKeyStore | CspProviderFlags.UseArchivableKey,
    CryptoKeySecurity = systemUserOnlyReadablePrivateKey.CspKeyContainerInfo.CryptoKeySecurity
};

// add the access rules
cspParameters.CryptoKeySecurity.AddAccessRule(new CryptoKeyAccessRule(new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null), CryptoKeyRights.GenericRead, AccessControlType.Allow));

// create a new RSACryptoServiceProvider from the cspParameters and assign that as the private key
RSACryptoServiceProvider allUsersReadablePrivateKey = new RSACryptoServiceProvider(cspParameters);
serverCert.PrivateKey = allUsersReadablePrivateKey;

// finally place it into the cert store
X509Store rootStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
rootStore.Open(OpenFlags.ReadWrite);
rootStore.Add(serverCert);
rootStore.Close();

// :)