Site in Azure Websites fails processing of X509Certificate2

Question

I have site in Azure Websites (not Hosted Service) and I need processing .pfx certificates with private key there.

var x509Certificate2 = new X509Certificate2(certificate, password); 

But I was faced with follow exception:

System.Security.Cryptography.CryptographicException: The system cannot find the file specified.     at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)    at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)    at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)    at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)    at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags) 

In article http://blog.tylerdoerksen.com/2013/08/23/pfx-certificate-files-and-windows-azure-websites/ I have found that it happens because by default the system uses a local directory of user to store the key. But Azure Websites have no local user profile directory. In the same article author propose to use X509KeyStorageFlags.MachineKeySet flag.

var x509Certificate2 = new X509Certificate2(certificate, password, X509KeyStorageFlags.MachineKeySet); 

But now I have other exception:

System.Security.Cryptography.CryptographicException: Access denied.     at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)    at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)    at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)    at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)    at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags) 

Can anybody help me to understand why it happens and how to fix it?

Answer 1

I guess you found a workaround, but if others are struggling with this, I found the answer to this in another SO question:

How can constructing an X509Certificate2 from a PKCS#12 byte array throw CryptographicException("The system cannot find the file specified.")?

The magic is specifying the X509KeyStorageFlags storage flags. Example:

var myCertificae = new X509Certificate2(     certificateData,     securePasswordString,     X509KeyStorageFlags.MachineKeySet |      X509KeyStorageFlags.PersistKeySet |      X509KeyStorageFlags.Exportable);