26

When newing up an instance of X509Certificate2(string, string) my IIS process simply crashes. No .Net exception, no nothing, except of this in my event log

Faulting application name: w3wp.exe, version: 8.0.9200.16384, time stamp: 0x50108835
Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505ab405
Exception code: 0xc0000374
Fault offset: 0x00000000000ea485
Faulting process id: 0x102c
Faulting application start time: 0x01ce10301e250c4d
Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 5e55321c-7c23-11e2-93f9-00155d8a0f17
Faulting package full name:

Im pretty stunned and don't know where to start looking. When attaching a debugger to the process, i'm able to break unto this line, but when stepping over it the the whole thing crashes.

_certificate = new X509Certificate2(pfxFile, pfxPassword);

pfxFile is a valid path, if i change it i immediately get a correct .Net PathNotFound exception.

Server is Windows 2012, running IIS8 and .Net 4.5.

Update
This article describes the same problem where a solution is to make sure the App Pool identity has LoadUserProfile enabled.

Hakan Fıstık
  • 11,376
  • 8
  • 74
  • 105
Pauli Østerø
  • 6,728
  • 1
  • 28
  • 48
  • FWIW, http://stackoverflow.com/questions/9259581/our-application-crashes-how-to-find-the-cause-of-the-crash Might be a step in the right direction. – lc. Feb 21 '13 at 13:37

1 Answers1

36

I had a similar problem, also on Windows Server 2012, which crashed IIS, when using 

new X509Certificate2(fileName, keyPassword, X509KeyStorageFlags.Exportable)

This was fixed by changing the constructor to 

new X509Certificate2(fileName, keyPassword, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable)
maxp
  • 21,629
  • 35
  • 115
  • 191
  • 2
    I had the exact same problem, and your solution also worked for me. I wish I could upvote this answer more than once. Thanks a lot! – Rodrigo Sieiro Jul 04 '13 at 17:30
  • 2
    @RodrigoSieiro I will go ahead and help you bump this one. I just ran into this myself when you using the Google Admin SDK service account. – Damon Drake Jun 16 '14 at 16:03
  • @maxp This answer is why I love stack overflow. – CameraSchoolDropout Jun 25 '14 at 04:11
  • 2
    This is unbelievable. Since this issue was crashing my application pool, I had to resort to hard coded trace statements in my code to even figure it out where the error was happening. But this begs to ask the question, why the issue and how does improved constructor fix it? Question3 is, and this is very scary to me, why does this crash the application pool? I don't like how vulnerable I feel right now for using X509Certificate2 at all! – kstubs Jun 11 '15 at 16:15
  • This worked for me BUT when I now try to access the PrivateKey it throws an exception "n exception of type 'System.Security.Cryptography.CryptographicException' occurred in mscorlib.dll but was not handled in user code Additional information: Invalid provider type specified." – Donald Jansen Aug 17 '15 at 09:28
  • For VB.NET, the following will also work: `new X509Certificate2(fileName, keyPassword, X509KeyStorageFlags.MachineKeySet Or X509KeyStorageFlags.PersistKeySet Or X509KeyStorageFlags.Exportable)`. VB uses the keyword `Or` to represent a bitwise `|` "OR" operator. – tresf Jan 26 '16 at 04:00
  • This may be the cause: https://connect.microsoft.com/VisualStudio/feedback/details/790360/ssl-certificates-wont-load-into-an-iis-worker-process-unless-loaduserprofile-is-enabled – Noah Stahl Mar 27 '16 at 15:18