X509Certificate.CreateFromCertFile - the specified network password is not correct

Question

I have a .NET application that I want to use as a client to call an SSL SOAP web service. I have been supplied with a valid client certificate called foo.pfx. There is a password on the certificate itself.

I've located the certificate at the following location: C:\certs\foo.pfx

To call the web service, I need to attach the client certificate. Here's the code:

public X509Certificate GetCertificateFromDisk(){
    try{             

       string certPath = ConfigurationManager.AppSettings["MyCertPath"].ToString(); 
       //this evaluates to "c:\\certs\\foo.pfx". So far so good.

       X509Certificate myCert = X509Certificate.CreateFromCertFile(certPath);
       // exception is raised here! "The specified network password is not correct" 

       return cert;

     }
    catch (Exception ex){    
        throw;
     }
}

It sounds like the exception is around the .NET application trying to read the disk. The method CreateFromCertFile is a static method that should create a new instance of X509Certificate. The method isn't overridden, and has only one argument: the path.

When I inspect the Exception, I find this:

_COMPlusExceptionCode = -532459699
Source=mscorlib

Question: does anyone know what the cause of the exception "The specified network password is not correct" ?

Answer 1

Turns out that I was trying to create a certificate from the .pfx instead of the .cer file.

Lesson learned...

• .cer files are an X.509 certificate in binary form. They are DER encoded.
• .pfx files are container files. Also DER encoded. They contain not only certificates, but also private keys in encrypted form.

Answer 2

Depending on your situation you probably need to install the certificate on the server first to get the trust level up before you export the .cer file.

I had to do this for a similar project and here were my notes on how it was accomplished.

Replace the Foo.cer with an export of the certificate installed on the server. (Install the cert from the pfx file and then export it to a cer file)

--Command for IIS6 to allow IIS_WPG group access to the cert key. Need to install winhttpcertcfg, (You can follow the link below to grab your own copy.)

C:\Program Files\Windows Resource Kits\Tools>winhttpcertcfg -i (Path to pfx file, eg. e:\Certs\Foo.pfx) -c LOCAL_MACHINE\My -a IIS_WPG -p (Password for pfx file)

--Spits out key info and grants privilage

Granting private key access for account: (SERVERNAME)\IIS_WPG

Download WinHttpCertCfg.msi here that installs the exe www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-c748e422833f&displaylang=en

More info on how to use the cert config. msdn2.microsoft.com/en-us/library/aa384088.aspx

Then it just goes back to how you are doing your cert push.

        //Cert Challenge URL 
        Uri requestURI = new Uri("https://someurl");

        //Create the Request Object
        HttpWebRequest pageRequest = (HttpWebRequest)WebRequest.Create(requestURI);

        //After installing the cert on the server export a client cert to the working directory as Foo.cer
        string certFile = MapPath("Foo.cer");
        X509Certificate cert = X509Certificate.CreateFromCertFile(certFile);


        //Set the Request Object parameters
        pageRequest.ContentType = "application/x-www-form-urlencoded";
        pageRequest.Method = "POST";
        pageRequest.AllowWriteStreamBuffering = false;
        pageRequest.AllowAutoRedirect = false;
        pageRequest.ClientCertificates.Add(cert);

This how I passed the cert but not sure exactly what you are needing to do with your cert so this might not be the same for you.

Answer 3

The 'the specified network password is not correct' error message is also returned when the certificate you are trying to import in one of the OS stores is already present in that store.