Skip to content

How to Fix the "Keyset does not exist" CryptographicException

We recently run into a strange problem when we tried sign a message using a private and public key pair. Everything worked as expected on the developer machine, yet in the test environment the same code only throws this exception:

System.Security.Cryptography.CryptographicException: Keyset does not exist

Our key pair is inside the certificate store on a Windows server and that works on all other systems without any problem. We even use the same code, but we never had such an error before.

According to our Google search, multiple problems can result in this error:

  • The public/private key pair is corrupt
  • There is no private key attached to the public key
  • The key pair is correct, but Windows use a storage format that .Net can't access

Before you spend time to recreate your key pair, check that the user under which the code runs has the right to access the private key. That was our problem, but no one explained this as a possible source for the exception.

Manage the access rights for private keys

It takes a few steps to get at the right place, but they are all straight-forward. First open the mmc tool by typing mmc in the search box:

find mmc in Windows tool list

Add the certificates snap-in and select Computer account:

select computer account

Expand the tree on the left side (Certificates (Local Computer) / Personal / Certificates), select the Certificates node and locate your certificate. Right-click on your certificate, select All Tasks / Manage Private Keys:

Go to the key and use manage private key

You now will see all accounts that can access the private key of your certificate. Make sure that your user has 'Full Control' activated:

Give access to your user

Double-check that your code is running under this user. If you have a web application, do not forget to check the application pool user – someone may have changed that.

Important: The option to manage private keys is only available for the machine store, not your personal store. If it does not show up, you are probably in the wrong location.

Conclusion

As so often, the most annoying problems have simple solutions. If you run into the same problem, save yourself a lot of time and check the permissions first. Especially when you are sure that everything is correctly configured.