Load X509Certificate2 with CreateFromPemFile

[lukeschlather]

Description

X509Certificate2.CreateFromPemFile doesn't seem to load private keys properly on Windows.

Reproduction Steps

I created a $cert and $key with:

openssl req -nodes -new  -sha256 -keyout $key -out $csr -config $cnf
openssl ca -batch -config $sslcnffile -policy policy_match -extensions usr_cert -out $cert -infiles $csr 

My project is <TargetFramework>net6.0</TargetFramework>

I created an X509Certificate2 object with:

var cert = X509Certificate2.CreateFromPemFile("$cert", "$pem");

For comparison I also created a pfx with

openssl pkcs12 -export -out $pfx -inkey $cert -in $key

And loaded it with

var pfxCert = new X509Certificate2("/secrets/localhost.pfx");

Expected behavior

The pfxCert object should be functionally identical to the cert object, or there should be an error thrown loading the pem keyfile.

Actual behavior

The cert object is created without error but the private key is not present.

Regression?

I've found some similar bugs and it generally seems the assumption is pems don't work on Windows, but the docs don't make any mention of this:

https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfrompemfile?view=net-7.0

Known Workarounds

Use a pfx.

Configuration

I have been working on some other issues so I may be mistaken, but I believe this works fine in an Ubuntu Docker container but does not work in Windows 10.

Other information

No response

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

X509Certificate2.CreateFromPemFile doesn't seem to load private keys properly on Windows.

Reproduction Steps

I created a $cert and $key with:

openssl req -nodes -new  -sha256 -keyout $key -out $csr -config $cnf
openssl ca -batch -config $sslcnffile -policy policy_match -extensions usr_cert -out $cert -infiles $csr 

My project is <TargetFramework>net6.0</TargetFramework>

I created an X509Certificate2 object with:

var cert = X509Certificate2.CreateFromPemFile("$cert", "$pem");

For comparison I also created a pfx with

openssl pkcs12 -export -out $pfx -inkey $cert -in $key

And loaded it with

var pfxCert = new X509Certificate2("/secrets/localhost.pfx");

Expected behavior

The pfxCert object should be functionally identical to the cert object, or there should be an error thrown loading the pem keyfile.

Actual behavior

The cert object is created without error but the private key is not present.

Regression?

I've found some similar bugs and it generally seems the assumption is pems don't work on Windows, but the docs don't make any mention of this:

https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfrompemfile?view=net-7.0

Known Workarounds

Use a pfx.

Configuration

I have been working on some other issues so I may be mistaken, but I believe this works fine in an Ubuntu Docker container but does not work in Windows 10.

Other information

No response

Author:	lukeschlather
Assignees:	-
Labels:	area-System.Security
Milestone:	-

[vcsjones]

the private key is not present.

How are you making this determination? Can you provide an end-to-end example where you load a cert and a key, and the resulting X509Certificate2 doesn't do what you would expect?

[lukeschlather]

I compared the X509Certificate2 objects in the debugger and the properties on the key were not the same as the ones from when I loaded the pfx.

Additionally, I am loading this object into Kestrel with .UseHttps() and when I load the pem-derived cert I get:

> openssl s_client -connect localhost:15443
CONNECTED(000001C8)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

with the PFX it works appropriately, when I do openssl s_client -connect localhost:25443 -CAfile C:\secrets\root-cert.pem it says the cert is valid, curl also works.

[vcsjones]

HasPrivateKey should definitely be true after calling CreateFromPemFile. Otherwise it should throw.

This sounds like the "File" version of this issue: #86328

Based on this comment:

I believe this works fine in an Ubuntu Docker container but does not work in Windows 10.

Windows, when using a certificate for HTTPS purposes, needs a non-ephemeral key load, but CreateFromPem{File} does an ephemeral key load. That is this issue #23749

I agree this behavior is confusing because the certificate and key are loaded fine, but when you go to use it for HTTPS purposes (Kestrel, SslStream, etc) it behaves as if there is no private key.

var certificateBytes = fullCertificate.Export(X509ContentType.Pkcs12, "");
return new X509Certificate2(certificateBytes, "", X509KeyStorageFlags.DefaultKeySet);

https://github.com/dotnet/aspnetcore/blob/f9121bc3e976ec40a959818451d126d5126ce868/src/Servers/Kestrel/Core/src/Internal/Certificates/CertificateConfigLoader.cs#L84-L90

If you roundtrip the certificate through a PFX store, load, then it is likely things will work for the PEM + Private Key.

[lukeschlather]

Can probably just call this a dupe of the other one.

[vcsjones]

Duplicate of #86328