5

I'm creating a x509 certificate using makecert with the following parameters:

makecert -r -pe -n "CN=Client" -ss MyApp

I want to use this certificate to encrypt and decrypt data with RSA algoritm. I look to generated certificate in windows certificate store and everything seems ok (It has a private key, public key is a RSA key with 1024 bits and so on..)

Now i use this C# code to encrypt data: 

X509Store store = new X509Store("MyApp", StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectName, "Client", false);
X509Certificate2 _x509 = certs[0];

using (RSACryptoServiceProvider rsa = (RSACryptoServiceProvider)_x509.PublicKey.Key)
{
    byte[] dataToEncrypt = Encoding.UTF8.GetBytes("hello");
    _encryptedData = rsa.Encrypt(dataToEncrypt, true);
}

When executing the Encrypt method, i receive a CryptographicException with message "Bad key".

I think the code is fine. Probably i'm not creating the certificate properly. Any comments? Thanks

---------------- EDIT --------------
If anyone know how to create the certificate using OpenSsl, its also a valid answer for me.

Zé Carlos
  • 3,627
  • 5
  • 43
  • 51
  • When creating your cert what is the bit of the private/public key pairs you specify ? probably you have to specify longer keys 4048 bits? – berkay Jun 09 '10 at 17:56
  • I not sure what option are you talking about. I just used the options i show above in makecert command. If you are talking about one other, assume the default value. But my public key has 1024 bits. – Zé Carlos Jun 09 '10 at 18:00
  • okey then i never use makecert just search to create it 4048 bits.1024 bits is broken for that reason you can get the error. – berkay Jun 09 '10 at 18:03
  • Thanks Berkay.I tried the option -len 2048 and -len 4096. But the problem continues. – Zé Carlos Jun 09 '10 at 18:13
  • 2
    This: http://www.enterprisedt.com/products/edtftpnetpro/doc/manual/privatekeyaccessproblems.html site has a nice set of steps for creating and exporting certificates. – Steve Wranovsky Jun 23 '10 at 06:15

2 Answers2

4

To allow the key to be used for encryption, you should use the -sky-option. Per default ´makecert` uses the AT_SIGNATURE key specification, which will not work with encryption/decryption. Instead have it use the AT_KEYEXCHANGE specification by issuing the following command:

makecert -r -pe -n "CN=Client" -ss MyApp -sky Exchange

(Remember to delete the previous key or use another container-name).

Rasmus Faber
  • 48,631
  • 24
  • 141
  • 189
  • I read RSA algoritm could be used both to sign and encrypt messages. It is impossible to have in just one cert the cipher and sign keys? – Zé Carlos Jun 10 '10 at 12:09
  • 1
    An AT_KEYEXCHANGE can be used for both signing and encryption, just not the other way around. – Rasmus Faber Jun 10 '10 at 17:29
1

This was another page I stumbled across when I was trying to find examples of makcert usage with x509 certificates and rsa using c#, and unfortunately it only provided part of the solution. I put all the bits together in a blog entry that people might be interested in, and it can be found here: http://nick-howard.blogspot.com/2011/05/makecert-x509-certificates-and-rsa.html

Nick Howard
  • 943
  • 1
  • 13
  • 25