The requested operation is not supported in CngKey.Create

Question

I'm trying to generate a self-signed certificate on the fly (programmatically) in a C# assembly (targeting .NET 4.0), to serve as a root CA to generate other certificates. The certificate doesn't need to be persisted in the Windows certificate store, I'll export it as a file.

Reading through this question (and in particular, @dthorpe's answer), I decided to give a try to CLR Security.

The CLR Security library put an extension method on CngKey class to generate a self-signed certificate, but I couldn't succeed in creating an instance of CngKey with:

var key = CngKey.Create(CngAlgorithm.Sha1); //same with Sha256, Sha512 and MD5
//or
var key = CngKey.Create(CngAlgorithm.Sha1, null, new CngKeyCreationParameters()
{
    ExportPolicy = CngExportPolicies.AllowExport,
    KeyUsage = CngKeyUsages.AllUsages,
    KeyCreationOptions = CngKeyCreationOptions.MachineKey,
});

Any of these lines raises the exception:

System.Security.Cryptography.CryptographicException was unhandled
HResult=-2146893783
Message=The requested operation is not supported.

Source=System.Core  
StackTrace:  
  at System.Security.Cryptography.NCryptNative.CreatePersistedKey(SafeNCryptProviderHandle provider, String algorithm, String name, CngKeyCreationOptions options)  
  at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm,  String keyName, CngKeyCreationParameters creationParameters)  
  at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm)  
  at Tests.Program.Main(String[] args) at Program.cs:line 51

Searching through SO and the internet, I've checked the following:

• I'm running a Windows 7 box (so it supports RPC as per MSDN)
• Tried on a Windows Server 2012 box, same error
• The process is running as admin (so it have access to all cert storages, anyway)
• The services CNG Key Isolation and Remote Procedure Call (RPC) are running

Any help would be appreciated.

Answer 1

Small off-topic: during google search for this question found a site with HRESULT descriptions and handy search tool on SO and MSDN (I simply googled for your HRESULT code -2146893783)

---

I found a topic on MSDN which contains code failing with similar HRESULT, and the author provides a link to MSDN article about CNG:

NCRYPT_ALGORITHM_GROUP_PROPERTY L"Algorithm Group"
A null-terminated Unicode string that contains the name of the object's algorithm group. This property only applies to keys. The following identifiers are returned by the Microsoft key storage provider:

• NCRYPT_RSA_ALGORITHM_GROUP
  "RSA", The RSA algorithm group.
• NCRYPT_DH_ALGORITHM_GROUP
  "DH", The Diffie-Hellman algorithm group.
• NCRYPT_DSA_ALGORITHM_GROUP
  "DSA", The DSA algorithm group.
• NCRYPT_ECDSA_ALGORITHM_GROUP
  "ECDSA", The elliptic curve DSA algorithm group.
• NCRYPT_ECDH_ALGORITHM_GROUP
  "ECDH", The elliptic curve Diffie-Hellman algorithm group.

Also I found an article on MSDN about CNG Key Storage Providers, which contains similar list of the algorithms:

• Diffie-Hellman (DH)
  Secret agreement and key exchange, 512 to 4096 in 64-bit increments
• Digital Signature Algorithm (DSA) Signatures, 512 to 1024 in 64-bit increments
• Elliptic Curve Diffie-Hellman (ECDH) Secret agreement and key exchange, P256, P384, P521
• Elliptic Curve Digital Signature Algorithm (ECDSA) Signatures, P256, P384, P521
• RSA Asymmetric encryption and signing, 512 to 16384 in 64-bit increments

So, as you've said that you've tried only Sha1, Sha256, Sha512 and MD5, maybe you simply use another algorithm from list available? You can find there ones mentioned above:

• RSA
• ECDsa
  • P256
  • P384
  • P521
• ECDiffieHellman
  • P256
  • P384
  • P521

Here other developers successfully created one of them and was able to export it:

var cngKey = CngKey.Create(CngAlgorithm.ECDiffieHellmanP256, null,
    new CngKeyCreationParameters { ExportPolicy = CngExportPolicies.AllowPlaintextExport });