C# – “The specified network password is not correct” exception in X509Certificate2 constructor

ccertificateexception

I have a console application which loads an X509 Certificate from a byte array as follows:

var cert = new X509Certificate2(certificateContent,      // byte[]
                                password,                // string
                                X509KeyStorageFlags.PersistKeySet);

certificateContent is a byte[] representing the contents of a pfx file. This code works fine for a number of certificates I've tested. There is one certificate I'm testing, though, that causes this line to throw a CryptographicException with the message "The specified network password is not correct.", even though the password provided is correct.

The weird part is that I can use the same code in LinqPad to create a certificate from the same pfx file with the same password, and it works okay.

I've checked the call site in the console application in the debugger, and verified that the correct values are being passed in.

What could cause this constructor to throw this exception in a console app, but not in LinqPad using the same data, and work fine in both places for other certificates?

More Details

The certificates are stored in a database in Base64. The Console app reads the certificate from the DB, converts it from Base64 to a byte[], and then tries to create the X509Certificate2 object as above.

There are three certificates I've been testing with:

  1. My personal Client Authentication certificate provided by my employer's CA.
  2. A test certificate created by a colleague using his own self-signed CA.
  3. My own test certificate created by myself using a self-signed CA.

Certificates 1 and 2 work as expected in both the console app and LinqPad.

Certificate 3 loads fine in LinqPad, but generates the error above if I try to use it in the console app.

There are two significant differences between certs 2 & 3.

  1. Cert2 expires in 2016 and Cert3 expires in 2039
  2. The private key associated with cert2 is 2048 bit. Cert3 is 1024 bits.

Could either of these differences result in the "specified network password is not correct" error? And why would all 3 certs work fine in LinqPad, but only 1 throw the error in the Console app?

Best Answer

Hopefully this will help somebody:

User "S C" points out the following requirement for certificate passwords on Windows XP and Windows Server 2003.

0 < password.Length < 32

I have seen conflicting reports on whether 32 is allowed. I can confirm that I was using a 32 character password (an MD5 hash), and truncating it to 30 characters fixed the issue.

Related Topic