WinHttpCertCfg tool cannot access private key of a certificate

Hi all,

I faced the following issue some time ago: a customer of mine got a certificate in a .p12 file (PKCS#12 format), and he tried to access its private key with a .NET code like the following: 

X509Certificate2 clientCert = new X509Certificate2(certPath, certPassword, X509KeyStorageFlags.MachineKeySet);
… = clientCert.PrivateKey

This code worked fine on Vista or Windows 7, but failed to access the private key on Windows XP. So he tried to load the certificate into the certificate store and set permissions on the private key with WinHttpCertCfg.exe. But this action failed with the following error:

Access was not successfully obtained for the private key. This can only done by the user who installed the certificate.

They tried to install the cetificate and run WinHttpCertCfg.exe with an administrator user, and they got the same error. The same actions on Vista or Win7 worked just fine.


So we verified the original .p12 file with Win7’s certutil.exe tool, and we could see the following error:

C:\>certutil -verify customer.p12
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
LoadCert(Cert) returned ASN1 bad tag value met. 0x8009310b (ASN: 267)
CertUtil: -verify command FAILED: 0x8009310b (ASN: 267)
CertUtil: ASN1 bad tag value met.
301.3128.0: 0x8009310b (ASN: 267)

It turned out that the ASN1 encoding of the file was incorrect, and Windows XP didn’t know how to extract the private key from the file. Still, Vista and Win7 were both able to extract the info properly. I tried the following workaround then: import the certificate on Win7, export the certificate to a new .p12 file, and use the new file on XP. It worked! I verified the new .p12 file with certutil.exe, and I could see that doing the import-export operation fixed the encoding of the file.

Customer applied a similar workaround, but using openssl tool instead: convert the .p12 file to .pem (“openssl pkcs12 -in file.p12 -out file.pem“), and back to .p12 (“openssl pkcs12 -in file.pem -export -out new_file.p12“). That fixed ASN1 enconding, too.

I hope this helps. 



Alex (Alejandro Campos Magencio)

Comments (2)

  1. espinete says:

    I have certificate (pfx file, NOT is p12), how can I verify it ??

    Where is certutil.exe ? how can I download it ?


  2. alejacma says:

    I can find certutil.exe in my system32 folder on Windows 7. For older OS versions, I don't remember right now…