Loading PFX without admin causes CryptographicException #110217
Comments
dotnet-policy-service
bot
added
the
untriaged
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
|
I am facing the same. Works on .net8 but exception on .net9. Running it with admin mode solves it. |
|
Same issue here. |
|
Same issue here: dotnet/aspnetcore#59300 |
dotnet-policy-service
bot
removed
the
untriaged
|
@krwq Please investigate this. The repro in dotnet/aspnetcore#59300 looks like a good way to get started. |
|
I have a different scenario which is running into trouble with .NET9 and which is failing for potentially the same reason. I understand that ... now is obsolete with .NET9, which is why I replaced it by The certificate itself is used by the Kestrel server: This works fine if the Kestrel server is running on the target (Linux) server. However, for development and debugging purposes I'm running the Kestrel server on my local Windows 11 machine as well where a SSH script reroutes the remote server port to my local machine. Code above only works on my local machine if I'm running Visual Studio as administrator. The local Kestrel server can't be reached if running as non-admin. Can you please confirm/deny that the source of trouble is the same as reports above? |
|
@DierkDroth it's likely related to the same piece of code but IMO failing for different reason - it will be beneficial if you could share steps how to create cert similar to yours. The simple repro for this issue is just this (ASP.NET is not needed): Pkcs12LoaderLimits limits = new Pkcs12LoaderLimits()
{
PreserveStorageProvider = true // true => seeing access denied; false => works
};
X509CertificateLoader.LoadPkcs12(File.ReadAllBytes("cert.pfx"), "1234", loaderLimits: limits);which seems inconsistent with what you're describing. I'd be still interested in seeing steps how to create a cert you're describing. We also noticed that for some reason this didn't repro for everyone. This most likely regressed with: #107005 but it was also fixing another issue so we need to figure out solution which makes this work with both scenarios and most likely your test case as well (and therefore my request to share steps to create your cert). With that PR reverted locally I wasn't able to repro this problem anymore but I've additionally seen some more tests failing locally with |
|
@krwq additional details:
I can't comment on how this regression was introduced to the .NET code, since I'm not part of the .NET9 dev team |
|
@DierkDroth thanks for clarification - when you say it doesn't work on Windows does Kestrel log look normal as if it started correctly but it doesn't let you connect? How did you create a certificate a pfx/PKCS12 you're passing in? |
|
@krwq sorry I'm neither a Kestrel expert nor a certificate expert. I did not notice any Kestrel errors nor logs in VS. The certificate is a PFX format certificate which I loaded as embedded resource to a C# byte array (not sure why that would be relevant though...). |
|
@DierkDroth pfx can be created in multiple ways and format has some slight variations between implementations. Knowing how you created it (i.e. command line) will tell us more what we need to fix. |
|
@krwq I purchased the PFX from a certificate provider. Unfortunately I don't recall the details. |
|
I tried upgrading to .NET 9 and am facing the exact same issue. Here is how the certificate is created and loaded:
"Kestrel": {
"Certificates": {
"Default": {
"Path": "../data/certs/wildcard.local.pfx",
"Password": "P@ssw0rd",
"AllowInvalid": true
}
}
},Local dev wildcard SSL certificate
Previous "Access Denied" resolution (but not working here)You need Read/Write on But the current .NET 9 error is: "Workarounds"
OR Non-admin by loading from the Certificate Store in "Kestrel": {
"Certificates": {
"Default": {
"Store": "My",
"Location": "LocalMachine",
"Subject": "*.mydomain.local",
"Password": "P@ssw0rd",
"AllowInvalid": true
}
}
}, |
|
same issue, but when I was trying to create a self-signed cert. Currently on .NET9, creation of I verified that running it as admin solves this but sadly, I cannot run this code as admin as the nominal flow. Any other workarounds? |
|
I was able to get the file method working by converting the pfx file to a p12 file. This approach was mentioned in on this comment https://stackoverflow.com/a/73095429. I don't understand enough about the pfx/p12 difference to know whether this is a good approach or not but it resolved my problem without changing system folder permissions and without running as admin. Update the path to reference the {
"Kestrel": {
"EndPoints": {
"Https": {
"Url": "https://thehostname:7269"
}
},
"Certificates": {
"Default": {
"Path": "C:\\certs\\cert.p12",
"Password": "FooBlaa"
}
}
}
}The app then ran ok without admin privileges and used the specified cert in the HTTPS connection. In case it's relevant in terms of reproducing the error - we run as non admin users and use a distinct account to elevate to admin. |
|
AFAIK p12 and pfx should be both PKCS#12. The only reason I can see this could help is re-export - I'm guessing something changed in the inner structure which causes it to now work. |
|
In my case I was generating a self signed certificate in code and changing below in my cert generation method solved the issue.
to
|
|
@krwq - any update on this ? We have this code, works fine in .NET 8 (admin and normal mode). Edit: It works fine on MacOS , is specific to Windows |
Description
After upgrading to .Net 9.0 on a API project the following codes throws the error "System.Security.Cryptography.CryptographicException: 'Access denied.'" when not run as Admin. This works fine without admin on .net 8.0.
Reproduction Steps
Expected behavior
Project runs without issue
Actual behavior
Exception thrown: System.Security.Cryptography.CryptographicException: 'Access denied.'
Regression?
Yes, works on .Net 8.0
Known Workarounds
No response
Configuration
.Net 9.0
Windows 11 26100.2314 x64
Other information
No response
The text was updated successfully, but these errors were encountered: