Certificate has private key but we get "the keyset does not exist" error

  • Article

Hi all, welcome back,

The other day we were using CAPICOM in a client script run in Internet Explorer. We were trying to sign some string with the private key of a certificate we previously installed in the client machine, but we kept getting the error "the keyset does not exist", like if the private key didn't exist. But the certificate had been installed from a PFX file, it appeared in the Personal store and we could see the message "You have a private key that corresponds to this certificate" when double-clicking on the cert. What was going on?

The issue was happening in Windows XP SP2. As we saw in Key Containers: Basics, the keysets (key containers) for the user should be in her profile here C:\Documents and Settings\<user_name>\Application Data\Microsoft\Crypto\RSA\<user_SID> . But we realized this folder was empty, even after re-installing the cert. Weird. When we install a new cert (and no smart cards are involved), a file containing the keys associated with it gets created in there...

Additionally, if we imported the PFX into a smart card, everything worked just fine.

Well, we finally realized what was happening:

When importing a PFX with Windows Certificate Import Wizard we can click "Browse" to select a cert store and "Place all certificates in the following store". We can then check "Show physical stores". In our particular scenario, we had two physical stores under "Personal" store: "3rd Party Smart card SW" first and "Registry" second. "3rd Party Smart card SW" was an store for smart cards related to some third-party smart card CSP.

It turned out that if we chose "Automatically select the certificate store based on the type of certificate" in the wizard instead of browsing for a store, the cert was going to "3rd Party Smart card SW" physical store automatically and the key file wasn't being created in the user's profile. For this reason CAPICOM was failing, as it couldn't find that file.

So we solved the issue by re-installing the cert and manually browsing for "Registry" physical store in "Personal" store. This way the keyset file got created in Microsoft\Crypto\RSA\<userSID> folder, CAPICOM was able to get the private key and everything worked just fine.

I hope this helps.

Regards,

 

Alex (Alejandro Campos Magencio)