We recently run into a strange problem when we tried sign a message using a private and public key pair. Everything worked as expected on the developer machine, yet in the test environment the same code only throws this exception:
System.Security.Cryptography.CryptographicException: Keyset does not exist
Our key pair is inside the certificate store on a Windows server and that works on all other systems without any problem. We even use the same code, but we never had such an error before.
According to our Google search, multiple problems can result in this error:
- The public/private key pair is corrupt
- There is no private key attached to the public key
- The key pair is correct, but Windows use a storage format that .Net can’t access
Before you spend time to recreate your key pair, check that the user under which the code runs has the right to access the private key. That was our problem, but no one explained this as a possible source for the exception.
Manage the access rights for private keys
It takes a few steps to get at the right place, but they are all straight-forward. First open the mmc tool by typing mmc in the search box:
Add the certificates snap-in and select Computer account:
Expand the tree on the left side (Certificates (Local Computer) / Personal / Certificates), select the Certificates node and locate your certificate. Right-click on your certificate, select All Tasks / Manage Private Keys:
You now will see all accounts that can access the private key of your certificate. Make sure that your user has ‘Full Control’ activated:
Double-check that your code is running under this user. If you have a web application, do not forget to check the application pool user – someone may have changed that.
Important: The option to manage private keys is only available for the machine store, not your personal store. If it does not show up, you are probably in the wrong location.
Conclusion
As so often, the most annoying problems have simple solutions. If you run into the same problem, save yourself a lot of time and check the permissions first. Especially when you are sure that everything is correctly configured.
Thank you for this, it solved a big headache!
Thanks a lot. This solved my problem and save hours of time! In my case the certificate was used to identify the application to an Azure KeyVault which returned a 401 (not authorized) error with the additional information “Keyset does not exist”. I don’t fully understand why Azure would need to access the private key associated with my client app.
Helped me too. Saved hours of time!
Perfect that helpded a lot !
Cheers guys, helped me realise the permissions were wrong on my private key and get my renewal completed 🙂
Hi ,
In my case I am neither accessing private key from Computer Account nor User Account. I have extracted the private key(.key file) from the certificate and using that in implementation. So how can I set a permissions to private key.
I have a SSL Certificate(received from valid CA) and I am using that in windows application while calling the third party WebAPIs. In MMC I have not found Manage Private Keys option for my SSL Certificate.
I have confirmed Private key and Public keys by implementing RSA encryption/Decryption using OppenSSL and keys are working fine.
How can I handle this situation..
Hi Somnath,
Did you put the private key into a file? Or did you copy the content of the private key into the source code of your application? In either case check the encoding of the file and make sure it is UTF-8. We had some problems with this lately.
Do you have a minimal code example somewhere that you can share?
Regards,
Johnny
Very Helpful. Solved my issue.. Thanks a lot
legend, fixed my issue ty!
This was also my issue, : ) Thanks
Awesome, thanks!!
Excellently written – saved my bacon and many hours of tedious searching.
First hit on Google and issue solved! Thanks!
Thanks! Saved my life!