The requested operation is not supported when exporting ECParameters with private parameters from X509Certificate2 #104294
-
|
Considering: $cert = New-SelfSignedCertificate -DnsName "CN=Test" -KeyAlgorithm ECDSA_nistP256 -KeyExportPolicy Exportable -CertStoreLocation Cert:\CurrentUser\My
$cert | Export-PfxCertificate -FilePath "Certificate.pfx" -Password (ConvertTo-SecureString -String "password" -Force -AsPlainText)
$pfxBytes = [System.IO.File]::ReadAllBytes("Certificate.pfx")
$base64Cert = [System.Convert]::ToBase64String($pfxBytes)string rawData = "..."; // base64 from above
X509Certificate2 certificate = new X509Certificate2(Convert.FromBase64String(rawData), "password", X509KeyStorageFlags.Exportable);
ECDsa? privateKey = certificate.GetECDsaPrivateKey();
Debug.Assert(privateKey is not null);
ECParameters parameters = privateKey.ExportParameters(true);The last line to export the parameters including the private parameters fails with: I tried with others Note that exporting without private parameters works fine. Any suggestions? I'm using .NET 9 preview 5 on Windows 11. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
When Windows makes a key by loading a PFX it ends up in either the legacy CAPI system, or the newer CNG system. For CAPI Exportable means exportable, no ifs/ands/buts. But CNG has "Exportable" and "Plaintext Exportable". PFX:Exportable only maps to CNG:Exportable, but since we're asking for the key parameters directly that's a "plaintext export". If you really want to work around it, you can export as encrypted PKCS8, then import that into a new key object (ECDsa.Create()). The new key object will have been set up as plaintext exportable. |
Beta Was this translation helpful? Give feedback.
When Windows makes a key by loading a PFX it ends up in either the legacy CAPI system, or the newer CNG system. For CAPI Exportable means exportable, no ifs/ands/buts. But CNG has "Exportable" and "Plaintext Exportable". PFX:Exportable only maps to CNG:Exportable, but since we're asking for the key parameters directly that's a "plaintext export".
If you really want to work around it, you can export as encrypted PKCS8, then import that into a new key object (ECDsa.Create()). The new key object will have been set up as plaintext exportable.