10

I have a problem with an MVC web app which calls to another service using a private certificate.

The certificate is in my Personal keystore against the current machine- I have used winhttpcertcfg to give permissions to the certificate to the app pool identity of my web application. The key is loaded in the following method;

internal bool SetCertificateFromCertStore(string subjectName)
{
    X509Store store = null;
    try
    {
        store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadOnly);
        X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, true);
        if (certs.Count != 1)
        {
            store.Close();
            store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
            store.Open(OpenFlags.ReadOnly);
            certs = store.Certificates.Find(X509FindType.FindBySubjectName, subjectName, true);
            if (certs.Count != 1)
            {
                throw new Exception("Unable to find Certificate");
            }
        }
        _certificate = certs[0];
        return true;
    }
    finally
    {
        if (store != null)
        {
            store.Close();
        }
    }
}

This code worked everytime until a couple weeks ago (the 12th of April) when at 17:05 I noticed the first instance in ELMAH of the "Unable to find Certificate" exception being thrown. Checking the applications log, the system is still working on almost all the request with this error cropping up just a few times an hour on some requests.

I've read around similar questions which suggest implementing code similar to the code I'm already using (querying multiple stores). Is there some kind of known issue with the Windows certificate store? Perhaps a locking issue? Is there another way to tackle this or something obvious I'm doing wrong here?

Any help you can offer would be appreciated as I've run out of things to try!

Jamie Rees
  • 7,973
  • 2
  • 45
  • 83
Shawson
  • 1,858
  • 2
  • 24
  • 38
  • Have you recently renewed the certificate? Do you know that `!= 1` is 0, instead of 2? – bartonjs Apr 25 '17 at 13:14
  • Nope- no changes :( My two thoughts are, traffic is ramping up on the site, so perhaps this is some kind of weird locking issue on the cert stores, or some windows update has breezed onto the box and destroyed something along the way, but our infrastructure team are quite confident no patches were rolled out at that time – Shawson Apr 25 '17 at 15:01
  • 1
    In general I avoid using `validOnly: true`, since it builds an X509Chain for each cert that it might return. If you don't have intermediate certs cached and the network hiccups then you can have values be counted as not valid. (Either way, be careful to pick the "correct" certificate during rollover, usually the one with the newer `NotBefore` value) – bartonjs Apr 25 '17 at 15:07
  • Ok I'll give this a go. I would not expect any invalid versions of this cert on the server anyway as they are installed manually by us and checked at that point. From the comments, am I right in thinking that when this cert expires and we install a new one, the old one will be retained in the store? – Shawson Apr 26 '17 at 15:07
  • Nothing is auto-deleted from the store, so: yup. – bartonjs Apr 26 '17 at 15:09
  • Is it still intermittently failing? or completely stopped or working? Even if you found the issue, you should definitely consider changing `certs.Count != 1` to `certs.Count == 0` because if you renewed or some ps script somewhere accidentally reinstalled the cert into a store, searching by subjectName will return 2 certs and cause your program to fail for no reason. – degant May 03 '17 at 18:37
  • Yea consistently intermittent. I shall make that update- the code for this piece was actually a stock bit of code from Experian. The fix for this looks like a matter of simply removing the validOnly parameter, but that does make me a little nervous. – Shawson May 04 '17 at 10:34
  • What user is displaying when you add this line to the code: System.Security.Principal.WindowsIdentity.GetCurrent().Name – Preben Huybrechts May 05 '17 at 11:02
  • @Shawson Did removing the validOnly: true bit resolve the issue? I'm facing the same issue intermittently and have validOnly: true, so I'm thinking of trying the same. – Justin Feb 22 '22 at 16:59

0 Answers0