How to Fix the “Keyset does not exist” CryptographicException

We recently run into a strange problem when we tried sign a message using a private and public key pair. Everything worked as expected on the developer machine, yet in the test environment the same code only throws this exception:

System.Security.Cryptography.CryptographicException: Keyset does not exist

Our key pair is inside the certificate store on a Windows server and that works on all other systems without any problem. We even use the same code, but we never had such an error before.

According to our Google search, multiple problems can result in this error:

  • The public/private key pair is corrupt
  • There is no private key attached to the public key
  • The key pair is correct, but Windows use a storage format that .Net can’t access

Before you spend time to recreate your key pair, check that the user under which the code runs has the right to access the private key. That was our problem, but no one explained this as a possible source for the exception.

 

Manage the access rights for private keys

It takes a few steps to get at the right place, but they are all straight-forward. First open the mmc tool by typing mmc in the search box:

Add the certificates snap-in and select Computer account:

Expand the tree on the left side (Certificates (Local Computer) / Personal / Certificates), select the Certificates node and locate your certificate. Right-click on your certificate, select All Tasks / Manage Private Keys:

You now will see all accounts that can access the private key of your certificate. Make sure that your user has ‘Full Control’ activated:

Double-check that your code is running under this user. If you have a web application, do not forget to check the application pool user – someone may have changed that.

Important: The option to manage private keys is only available for the machine store, not your personal store. If it does not show up, you are probably in the wrong location.

 

Conclusion

As so often, the most annoying problems have simple solutions. If you run into the same problem, save yourself a lot of time and check the permissions first. Especially when you are sure that everything is correctly configured.

17 thoughts on “How to Fix the “Keyset does not exist” CryptographicException”

  1. Thanks a lot. This solved my problem and save hours of time! In my case the certificate was used to identify the application to an Azure KeyVault which returned a 401 (not authorized) error with the additional information “Keyset does not exist”. I don’t fully understand why Azure would need to access the private key associated with my client app.

    Reply
  2. Cheers guys, helped me realise the permissions were wrong on my private key and get my renewal completed 🙂

    Reply
  3. Hi ,

    In my case I am neither accessing private key from Computer Account nor User Account. I have extracted the private key(.key file) from the certificate and using that in implementation. So how can I set a permissions to private key.

    I have a SSL Certificate(received from valid CA) and I am using that in windows application while calling the third party WebAPIs. In MMC I have not found Manage Private Keys option for my SSL Certificate.

    I have confirmed Private key and Public keys by implementing RSA encryption/Decryption using OppenSSL and keys are working fine.

    How can I handle this situation..

    Reply
    • Hi Somnath,
      Did you put the private key into a file? Or did you copy the content of the private key into the source code of your application? In either case check the encoding of the file and make sure it is UTF-8. We had some problems with this lately.

      Do you have a minimal code example somewhere that you can share?

      Regards,
      Johnny

      Reply
  4. Thanks! – I normally don’t post but i had to for this as I’ve spent hours investigating why my process wasn’t working. wish I found this sooner!.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.