Import BouncyCastle X509Certificate + Private Key (RSA) into Windows Certificate Store

0
votes

I've tried about everything to import a BouncyCastle-based X509Certificate instance with the associated private key (RsaPrivateCrtKeyParameters) via a .NET X509Certificate2 + an RSACryptoServiceProvider instances and saved it into a certificate store (.NET's X509Store, My/CurrentUser).

In the Certificate Store MMC snapin, it seems like there is a private key associated with the certificate, and I've verified that a new key container is created in the appropriate place on disk, but when I try to export the certificate, I get the dreaded "Note: The associated private key cannot be found. Only the certificate can be exported" message.

If I run certutil -user -repairstore my THUMBPRINT, I get the following error:

ERROR: Certificate public key does NOT match stored keyset

From the other information it spits out, I can clearly see that the public keys differ, and that the Algorithm Parameters equals "05 00" on the Certificate Public Key, but not on the Container Public Key.

In fact, I was not aware that there was a concept of a container public key, so I'm just very confused now. Does anyone have some working code for doing this?

1
c#x509certificatebouncycastle
Not sure how your code looks like, but mine (exporting from Bouncy Castle as .pfx file and then importing into the store via BCL classes) works flawlessly. The merge of private key and the certificate is carried out on Bouncy Castle side, not in BCL. - Lex Li

1 Answers

1
votes

I found the solution in Cabadam's answer here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/ad01b2eb-1890-431a-86ae-e5da0e02b5b0/cryptographicexception-key-does-not-exist-when-attempting-to-connect-to-remote-service

RSACryptoServiceProvider tempRcsp = (RSACryptoServiceProvider)DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters)keyPair.Private);
  RSACryptoServiceProvider rcsp = new RSACryptoServiceProvider(new CspParameters(1, "Microsoft Strong Cryptographic Provider", new Guid().ToString(), new CryptoKeySecurity(), null));
  rcsp.ImportCspBlob(tempRcsp.ExportCspBlob(true));
  dotnetCertificate2.PrivateKey = rcsp;
// Save the certificate to the X509Store