Richard Harding's spot on the web

IIS Express “Access Denied” Cryptographic Exception when creating X509 cert from file

Adding this here so I can find it when it happens again!

After a recent Windows 10 update (I’m in the insider fast ring so who knows what changed) I found that an ASP.Net MVC app no longer ran under IIS Express. As part of the app code it was creating an X509 Certificate by loading a pfx file from the file system

var signingCertPath = @"D:\FooCert.pfx";

var cred = new X509SigningCredentials(new X509Certificate2(signingCertPath, "FooPassword", X509KeyStorageFlags.MachineKeySet));

This was resulting in a Cryptographic exception being thrown with the message “Access Denied” and little else to go on.

I suspected is was permissions on the machine key folder (eg C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys) but adding my account to that folder with full control made no difference however, removing the MachineKeySet flag allowed the cert to be loaded.

I eventually resorted to using procmon (sysinternals procmon) to see what was generating the access error – it turned out to be the C:\ProgramData\Microsoft\Crypto\Keys folder — adding my account with full control on that folder allowed the cert to load (still no idea why an update had changed this)