4

I am facing an issue where I am unable to import a certificates Private-Key into monos certificatestore/keypairstore using the built in tool certmgr.

Adding a Certificates Public Version to the store works fine using

user@maschine:~certs$ certmgr -add -c My MyCert.crt
Mono Certificate Manager - version 2.10.8.1
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

1 certificate(s) added to store My.

However trying to add the corresponding Private-Key ends in a Exception

user@maschine:~certs$ certmgr -add -c My MyCert.p12
Mono Certificate Manager - version 2.10.8.1
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.


Unhandled Exception: System.Security.Cryptography.CryptographicException: Invalid MAC - file may have been tampered!

Trying to add the Public Verison (.cer) first and then importing the corresponding Private-Key from the private version (.p12) fails to, but with a slightly different exception:

user@maschine:~certs$ certmgr -add -c My MyCert.crt
Mono Certificate Manager - version 2.10.8.1
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

1 certificate(s) added to store My.
user@maschine:~certs$ certmgr -importKey -c My MyCert.p12
Mono Certificate Manager - version 2.10.8.1
Manage X.509 certificates and CRL from stores.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

Unhandled Exception: System.Security.Cryptography.CryptographicException: Improperly protected user's key pairs in '/var/licapp/.config/.mono/keypairs'.

Protecting the certificate with a password (and adding the corresponding parameter to the command) doesn't help either.

I am using mono V 2.10.8.1 on Debian Wheezy. Does anybody know how to add handle Certificates in stores and hanlding their keypairs with certmgr too?

I am considering a workaround where i just keep the p12-files beneath my application without using the stores, which would be a much more unclean solution i guess. But I am just unable to add both, the Certificate and the KeyPair to the Store.

The Certificats seem to be ok btw. Adding them to the Store under Windows works just fine.

nozzleman
  • 9,019
  • 4
  • 32
  • 52

1 Answers1

4

There are some problems with the documentation and the tool's behavior is a bit strange or wrong in places...

  1. The permissions on the keypairs directory are set wrong when the program creates them. chmod 700 ~/.config/.mono/keypairs resolved the Exception you listed.
  2. When you're using the -importKey action, you still have to specify object-type certificate, even though the man page doesn't say you have to use object-type. Moreover, there is no "private key" object type, but instead use the "certificate" object type (-c). Ex. certmgr -importKey -c -v -p p12password My CertAndKeyPair.p12 yields a success message for me.
  3. After step 2, the certificate/key will remain inaccessible. After importing the P12, import the DER-encoded certificate. Ex. certmgr -add -c My Certificate.cer This should make the certificate/key available to your .NET code.
  4. If you want to install certificates/keys to the machine store (-m), you must use sudo.
TravisThomas
  • 551
  • 1
  • 6
  • 20
  • Thanks, I was finally able to import my pfx using the command in step 2. Even though my cert didn't have a password set, it still needed `-p ""` specified in order to work. I think this is a bug in older versions of mono (I'm running 4.2.1), see the discussion here: https://bugzilla.xamarin.com/show_bug.cgi?id=35064 – E. Moffat Sep 21 '18 at 18:06