CryptographicException: The handle is invalid
October 31, 2008 7 Comments
The Problem
I was recently working on a method to load a X509 certificate from the server’s certificates store. While my code worked fine on my local machine, I kept getting a System.Security.Cryptography.CryptographicException saying that the handle was not valid after deploying to our test server. I made sure that the certificate was present in the store.
The code I was using to read the certificate looked something like this:
1: using System.Security.Cryptography.X509Certificates;
2: ...
3: private X509Certificate2 GetCertFromStore(StoreName name, StoreLocation location, X509FindType findType, Object value)
4: {
5: X509Store store = new X509Store(name, location);
6: X509Certificate2 cert = null;
7: try
8: {
9: store.Open(OpenFlags.ReadOnly);
10: cert = store.Certificates.Find(findType, value, False)[0];
11: }
12: finally
13: {
14: if (store != null)
15: store.Close();
16: }
17: return cert;
18: }
19: }
Why is it happening?
It came down to a permissions issue. On my local machine, I am an administrator and I had the rights to read the certificate. However, the account my application was running under on the test server did not have the necessary permissions to read the certificate or the Private Key File to be exact.
The Solution
The solution is to give the account read rights to the certificate and this can be achieved using the Certificates Tool from WSE 3.0. WSE 3.0 is the latest version of Web Service Enhancements for .NET and can be downloaded here.
After you open the tool, you will be presented with a window like this one:
Choose the location of the certificate for which you want to alter permissions (in my case it is on the Local Computer in the Personal store) and click on Open Certificate. This will open another dialog allowing you to pick which certificate you want to work with in case you have more than one in the store.
To update the permissions, you need to click on the View Private Key File Properties… button. The dialog that opens is the usual file properties dialog so it should look familiar and updating the security settings should be straight forward. You only need to allow Read & Execute and Read permissions for the account running your app.
Thanks a lot. I am student in Viet Nam, my project have to use ssl in wcf. I spend a lot of time so that find a solution to resolve this problem, and you have me a lot. Sorry if my english so bad
This was exactly what I needed. Saved me a ton of time! Thanks very much
Thanks very much. You have saved my good amount of time for finding the solution to the problem.
excellent, thank you sooooo much, this saved me from hours of pain. i had WSE 2.0 (very old system I am working on) and adding Network Service to the cert security worked. cheers
I had replaced a certificate with new version and faced the same issue in the server. With this help, I could fix the issue. Thank you so much for the details.
Thanks for the info! It was really helpful.
One thing, your link to WSE 3.0 points to the re-distributable runtime. To get the certificate tools you refer to, I downloaded from here:
http://www.microsoft.com/en-us/download/details.aspx?id=14089
Pingback: Confluence: HBi