2

When I import a certificate into a store using CertUtil, e.g., certutil -f -v -user -privatekey -importPFX my mycert.p12, and then read it in in C#, I see that its export policy is AllowExport | AllowPlaintextExport.

However, when importing the same certificate to the same store using the X509Store.Add() method and then read it back in, the export policy is only AllowExport; I use the X509KeyStorageFlags.Exportable flag when importing the certificate to the store, e.g.,:

...
X509Certificate2Collection x509cert2Collection = new X509Certificate2Collection();
x509cert2Collection.Import(myp12bytes, passwd, X509KeyStorageFlags.Exportable);
foreach (X509Certificate2 x509cert2 in x509cert2Collection) {
    X509Store myStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
    myStore.Add(x509cert2);                          
    myStore.Close();
}
...

My question is: is there a way to add a X509Certificate2 to the X509Store in C# so that the certificate's export policy includes both AllowExport and AllowPlaintextExport? X509KeyStorageFlags does not seem to define the AllowPlaintextExport flag; only the CngExportPolicies does.

FYI, I'm using .NET Framework 4.6.1 as the target.

Thanks.

hyongsop
  • 91
  • 2
  • 9
  • Is there a business case to utilize this flag? – Crypt32 Oct 02 '17 at 20:29
  • I'm exporting the cng keys to create BouncyCastle keys as described, e.g., [here](http://bouncy-castle.1462172.n4.nabble.com/Import-an-ECDSA-public-key-from-CngKey-to-BouncyCastle-td4658365.html). When doing so with a cert imported with certutil, it works,but an exception is raised when doing the same with a cert added with C# API. – hyongsop Oct 03 '17 at 12:52

0 Answers0