CryptographicException: The handle is invalid

The Problem

I was recently working on a method to load a X509 certificate from the server’s certificates store. While my code worked fine on my local machine, I kept getting a System.Security.Cryptography.CryptographicException saying that the handle was not valid after deploying to our test server. I made sure that the certificate was present in the store.

The code I was using to read the certificate looked something like this:

   1: using System.Security.Cryptography.X509Certificates;
   2: ...
   3:     private X509Certificate2 GetCertFromStore(StoreName name, StoreLocation location, X509FindType findType, Object value)
   4:     {
   5:         X509Store store = new X509Store(name, location);
   6:         X509Certificate2 cert = null;
   7:         try
   8:         {
   9:             store.Open(OpenFlags.ReadOnly);
  10:             cert = store.Certificates.Find(findType, value, False)[0];
  11:         }
  12:         finally
  13:         {
  14:             if (store != null)
  15:                 store.Close();
  16:         }
  17:         return cert;
  18:     }
  19: }

Why is it happening?

It came down to a permissions issue. On my local machine, I am an administrator and I had the rights to read the certificate. However, the account my application was running under on the test server did not have the necessary permissions to read the certificate or the Private Key File to be exact.

The Solution

The solution is to give the account read rights to the certificate and this can be achieved using the Certificates Tool from WSE 3.0. WSE 3.0 is the latest version of Web Service Enhancements for .NET and can be downloaded here.

After you open the tool, you will be presented with a window like this one:


Choose the location of the certificate for which you want to alter permissions (in my case it is on the Local Computer in the Personal store) and click on Open Certificate. This will open another dialog allowing you to pick which certificate you want to work with in case you have more than one in the store.

To update the permissions, you need to click on the View Private Key File Properties… button. The dialog that opens is the usual file properties dialog so it should look familiar and updating the security settings should be straight forward. You only need to allow Read & Execute and Read permissions for the account running your app.



9 Responses to CryptographicException: The handle is invalid

  1. Tran Chi Khanh says:

    Thanks a lot. I am student in Viet Nam, my project have to use ssl in wcf. I spend a lot of time so that find a solution to resolve this problem, and you have me a lot. Sorry if my english so bad

  2. B Fenske says:

    This was exactly what I needed. Saved me a ton of time! Thanks very much

  3. Itesh Chandra Simlai says:

    Thanks very much. You have saved my good amount of time for finding the solution to the problem.

  4. shan says:

    excellent, thank you sooooo much, this saved me from hours of pain. i had WSE 2.0 (very old system I am working on) and adding Network Service to the cert security worked. cheers

  5. Ramprasad says:

    I had replaced a certificate with new version and faced the same issue in the server. With this help, I could fix the issue. Thank you so much for the details.

  6. Ev says:

    Thanks for the info! It was really helpful.

    One thing, your link to WSE 3.0 points to the re-distributable runtime. To get the certificate tools you refer to, I downloaded from here:

  7. Pingback: Confluence: HBi

  8. Smithc5 says:

    Nice post. I was checking constantly this blog and I am impressed! Extremely useful information specially the last part ddbeefckbfabddgg

  9. naomi says:

    Is it a good solution for web application? or only client .exe?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: