RE: HttpWebRequest and PAssowrd Protected Private Keys

Your description of my scenario is accurate and describes my problem.
Exporting the key and eliminating the strong protection would work, but I was
hoping for a solution that could access the private key perhaps through the
Win32 CryptoAPI (P/Invoke) to programmatically get that password dialog box
to be displayed to gain access to the key.

Do you know if this is possible? My other solution is to host the IE
browser control in my application and make calls to it to perform the work.

thanks,

--
Brian R.



"Steven Cheng[MSFT]" wrote:

Hi Brian,

From your description, you're using HttpWebrequest to send http message
and will need to attach client certificate for authentication. However, you
found that the program will always fail with 403 exception at runtime, and
when using webbrowser to select that certain client certificate, you'll get
prompt dialog for input password, correct?

As for this behavior, it is due to your client certificate is requested and
installed in a strong-protection mode, that means whenever any program need
to access the private key associated with that certificate, the system will
prompt for password. When you use this certificate in some desktop
application(such as IE browser or winform application), the windows system
will show dialog for you to input password so as to access the private key.
However, if you use the certificate(private key) in some non-interactive
application(such as ASP.NET web application, windows service), the dialog
is invisible, therefore cause the program end with error.

Based on my test, for such scenario, since strong-protected certificate
force the user to input the password, you can consider either of the
following approachs:

1. Export the certificate(from certificate store) out to a Pfx file on the
disk(contains private key), do remember to uncheck the "enable strong
protection..." option when doing the exporting. After that, in your
program, you can programmatically load the certificate from the pfx file.
e.g.

================
private void btnPwdTest_Click(object sender, EventArgs e)
{

X509Certificate2 certpwd = new X509Certificate2();

certpwd.Import(@"E:\temp\cert_temp\pwdtest\pwdtestcert1.pfx",
"Password01!", X509KeyStorageFlags.DefaultKeySet);
.......................
}
=======================

You will not be asked for the password interactively. Notice that the
"Password01!" above is different from the password you're asked under
"Strong-Protection mode", the "Password01!" password above is the one used
to secure the pfx file.


2. Since you've exported the certificate (with "strong-protection..."
unchecked) into a pfx file, you can import it again into certificate store
(without strong-protection). thus, you can access that unprotected
certificate in code.

How do you think? If you have anything unclear or any other questions on
this, please feel free to let me know.;


Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.












.

Relevant Pages

  • Re: EFS On Drive Works With >1 Computer?
    ... >I just went to Help and Support Center to see if it says anything. ... > agent's private key and certificate, ... > certificate, decrypting the file or folder, and then deleting the imported ... Try to decrypt it on a computer that is not and has ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Encrypt string using SHA1withDSA and X509 certificate
    ... the security keys from a X509certificate, ... make sure the X509 certificate is installed in a certain certificate ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: ClickOnce: Certificate cannot be validated
    ... intermediate Thawte certificate, which in turn is signed by Thawte's ... Microsoft Online Community Support ... You can send feedback directly to my manager at: ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.windowsforms)
  • RE: Web App With Signature
    ... use some rich client approach such as ACTIVEX control. ... retrieve protect resource on client(such as file system or certificate ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: clickonce deployment
    ... sign the ClickOnce manifests. ... VS IDE will generate a certificate file automatically. ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.dotnet.framework.windowsforms)