This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 17%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHR%3C/text%3E%3C/svg%3E)
We are building an ASP.NET application inside a Windows Docker container to be run as an Azure IoTEdge module. The module periodically gets a direct method callback from the cloud with an updated server certificates as a PKCS#12 .pfx file. The PFX file is password protected, contains the certificate chain as well as the private key. The certificate is signed by a new Intermediate CA certificate every year. We need the ASP.NET certificate presented at connection time to include those updated intermediate certificates. Using openssl s_client -host <ip> -port 443 -prexit -showcerts, we only see the device certificate.
After much confusing research, we believe we have narrowed it down to the Intermediate CA needs to be in our container's Intermediate CA X509 store. It appears the Current User store is adequate, but Local Machine appears to work as well. Here is the code we are currently using.
StoreName storeName = RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? StoreName.CertificateAuthority : StoreName.Root;
using (var store = new X509Store(storeName, StoreLocation.CurrentUser))
{
store.Open(OpenFlags.OpenExistingOnly | OpenFlags.ReadWrite);X509Certificate2Collection collection = new X509Certificate2Collection();
collection.Import(currentWebServerCertificateFilename, currentWebServerCertificatePassword, X509KeyStorageFlags.X509KeyStorageFlags.DefaultKeySet);
foreach (var cert in collection)
{
if (cert.Thumbprint == myCert.Thumbprint) { continue; }if (store.Certificates.Contains(cert)) { continue; }
store.Add(cert);
}
}
When we push this container image out. We see the following in the logs
Unhandled exception. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access is denied.
at Internal.Cryptography.Pal.StorePal.Add(ICertificatePal certificate)
at System.Security.Cryptography.X509Certificates.X509Store.Add(X509Certificate2 certificate)
at Daikin.SystemManager.WebService.Program.addIntermediateCertificateToStore(X509Certificate2 myCert) in C:\src\DaikinSystemManagerWebService\Program.cs:line 134
at Daikin.SystemManager.WebService.Program.getWebServerCertificate() in C:\src\DaikinSystemManagerWebService\Program.cs:line 100
at Daikin.SystemManager.WebService.Program.CreateHostBuilder(String[] args) in C:\src\DaikinSystemManagerWebService\Program.cs:line 38
at Daikin.SystemManager.WebService.Program.Main(String[] args) in C:\src\DaikinSystemManagerWebService\Program.cs:line 26
This question was also asked at StackOverflow 12195361
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 38%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQ%3C/text%3E%3C/svg%3E)
Hello @Holt, Robin M , Thanks for reaching out to us!
Have you come across the below thread on StackOverflow, please have a look if that helps ...
Your Access Denied indicates that you are not running as an administrator (and thus do not have the permission to add keys to the machine's keystore).
To ensure that keys from a PFX get added to the current user's key store set the X509KeyStorageFlags.UserKeySet flag. Or, if you've installed the early access build (or, in the future, the released build) of .NET Framework v4.7.2 you can use EphemeralKeySet to keep the private key in memory and avoid the keystore altogether.
Hi @Matthijs van der Veer , Do you have any insights on this issue?
I am using the CurrentUser CertificateAuthority store, yet I still get the Access Denied. Additionally, I have tried with the .UserKeySet, but that made no difference. As for .NET Framework, this is a .NET core 3.1 application running inside a docker container.
@Holt, Robin M ,
Ok, let me check with my team as well on this. Please do let me know if you have any further questions.
Meanwhile, other community members are free to help us over here.
As a kludge, I switched the Dockerfile to have 'USER ContainerAdmin' right before the EXEC at the end of the recipe, the switched to using LocalComputer. Now the X509Store.Add() does not raise an exception and I get the certificate chain. I will try again with the 'USER ContainerAdmin' and switch back to CurrentUser to see if that works.
Awesome, fingers crossed. :)
CurrentUser does not work either with or without 'USER ContainerAdmin'
Hello @Holt, Robin M ,
Have you tried to post this question in the Windows Containers-MSDN forum?
Maybe we get a faster response over there...
Hello @Holt, Robin M , I am checking internally to help you get unblocked in this issue. Please let us know if you find any resolution on this issue.