Home > Blockchain >  C# Import X509Certificate network password is not correct only on Win 2016 LTSB
C# Import X509Certificate network password is not correct only on Win 2016 LTSB

Time:10-07

Starting situation:

I have a certificate (RSA-SHA1) with the corresponding password. I have the certificate and the password as a string. The password has 32 characters.

My Code (.NET Framework 4.8 and 4.7.2):

string cert = "mycert";
string pw = "mypassword";

var convertedCert = Convert.FromBase64String(cert);

var certs = new X509Certificate2();
certs.Import(convertedCert , pw, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlag

My Problem:

On my own computer (Windows 10 Pro 19044), importing is possible without any problems. I don't get any error message or anything else. On other computers (Windows 2016 Enterprise LTSB Build 14393 & Windows 10 Enterprise 2016 LTSB release 1607) I always get the following exception:s.UserKeySet);

ERROR: MyTestApp.ImportCertificate() - failed with exception: System.Security.Cryptography.CryptographicException: The specified network password is not correct.

bei System.Security.Cryptography.X509Certificates.X509Certificate2Collection.LoadStoreFromBlob(Byte[] rawData, String password, UInt32 dwFlags, Boolean persistKeyContainers) bei System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)

What I have already tried/ What we can exclude:

  • Older Win 10 versions cannot handle SHA-256 - I use SHA-1
  • My password is not longer than 32 characters - I have read that longer passwords do not work in some cases
  • The password is 100% correct because it works on my machine
  • Starting as admin on the LTSB did not help - To avoid access problems
  • Changing the KeyStorageFlag to MachineKeySet did not help - To ensure that access to the UserKeySet does not work
  • C:\Users\AppData\Roaming\Microsoft\Crypto\RSA exists on LTSB
  • But C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys exists on LTSB
  • I don't know if newer LTSB Windows Versions are affected too

These are all possible problems that could arise according to the internet and Stackoverflow research. However, I was able to verify that these errors do not apply to me.

I also debugged into the X509Certificate2 and found the following: I get as far as the LoadStoreFromBlob() point. In LoadStoreFromBlob the property hCertStore.IsInvalid is true and I get the exception

Here also the code of LoadStoreFromBlob():

private unsafe static System.Security.Cryptography.SafeCertStoreHandle LoadStoreFromBlob(byte[] rawData, string password, uint dwFlags, bool persistKeyContainers)
{
    uint num = 0u;
    System.Security.Cryptography.SafeCertStoreHandle phCertStore = System.Security.Cryptography.SafeCertStoreHandle.InvalidHandle;
    if (!CAPI.CryptQueryObject(2u, rawData, 5938u, 14u, 0u, IntPtr.Zero, new IntPtr(&num), IntPtr.Zero, ref phCertStore, IntPtr.Zero, IntPtr.Zero))
    {
        throw new CryptographicException(Marshal.GetLastWin32Error());
    }

    if (num == 12)
    {
        phCertStore.Dispose();
        phCertStore = CAPI.PFXImportCertStore(2u, rawData, password, dwFlags, persistKeyContainers);
    }

    if (phCertStore == null || phCertStore.IsInvalid)
    {
        throw new CryptographicException(Marshal.GetLastWin32Error());
    }

    return phCertStore;
}

So I suspect it's related to the LTSB but unfortunately I don't know what else to check.

Updates

I have converted the certificate into a pfx file. After the conversion, I tried to import it using the "Certificate Import Wizard". Here I also get the error message: "The password you entered is incorrect". On my computer it works again - only Windows 10 LTSB 2016 is affected.

CodePudding user response:

The .p12 file probably cannot be imported into Windows 2016 using the built-in Windows 2016 tools. To check that: "For each of your PKCS #12 files, you could try the following: issue the command certutil -asn | findstr /i "pb aes des sha" (replacing "" with the name of the PKCS #12 file).

If the output starts like:

| | | | | ; 1.2.840.113549.1.12.1.3 szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES

then it should be possible to import the PKCS #12 file into Windows 2016.

If the output starts like:

| | | | | ; 1.2.840.113549.1.5.13 szOID_PKCS_5_PBES2 | | | | | | ; 1.2.840.113549.1.5.12 szOID_PKCS_5_PBKDF2 | | | | | ; 2.16.840.1.101.3.4.1.42 aes256

or similar, then the PKCS #12 file probably cannot be imported into Windows 2016 using the built-in Windows 2016 tools. You will have to recreate the PKCS #12 file using TripleDES and SHA1." - see thread: https://learn.microsoft.com/en-us/answers/questions/518605/importing-a-pkcs12-to-windows-server-2016.html

Converting an Incompatible PKCS#12 Format File to a Compatible PKCS#12: https://kb.globalscape.com/Knowledgebase/11040/Converting-an-Incompatible-PKCS12-Format-File-to-a-Compatible-PKCS12

  • Related