I cannot find anything related to the error that I am encountering.
The problem is that I am encountering a CryptographicException on store.Add
below:
"The request is not supported."
The MSDN Documentation is not very helpful, it states that:
The certificate could not be added to the store.
I used the following code as a guide, with the following change:
My proof of concept code (abridged/shoddy):
public class UserLogonImpersonator : IDisposable
{
private WindowsImpersonationContext _impersonationContext = null;
private const int LOGON_INTERACTIVE = 2;
private const int PROVIDER_DEFAULT = 0;
[DllImport("advapi32.dll", SetLastError=true)]
private static extern int LogonUser(
string lpszUserName,
string lpszDomain,
string lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken);
public UserLogonImpersonator()
{
_impersonationContext = null;
IntPtr userHandle = IntPtr.Zero;
const string domain = "domain";
const string user = "user";
const string hcpw = "password";
try
{
int logonResult = LogonUser(user, domain, hcpw,
LOGON_INTERACTIVE, PROVIDER_DEFAULT, ref userHandle);
bool isLoggedOn = logonResult != 0;
if (isLoggedOn)
{
_impersonationContext =
WindowsIdentity.Impersonate(userHandle);
}
}
catch(Exception e)
{
// Handle Exception
}
}
public void Dispose()
{
// UndoImpersonation();
}
// Private methods ...
}
public class CertService
{
public void AddCertToRootStore()
{
using(new UserLogonImpersonator())
{
X509Certificate2 rootCert =
new X509Certificate2(certData.CertFilePath);
X509Store store =
new X509Store(StoreName.Root, StoreLocation.CurrentUser);
store.Open(OpenFlags.MaxAllowed);
store.Add(rootCert);
store.Close();
}
}
}
I can remove the impersonation and no exceptions are thrown, but that is not the correct user's store.
With the impersonation, I can put the cert into StoreName.AuthRoot
without exception. This is not the store that I want the cert to go into.
Neither of these exception-free solutions will work. I require that the program be run with elevated privileges and go into another user's store.
I solved this by doing it manually.
I wanted to do this to automate "test chain certificates." Our third party CA gave us a set of certificates for a .local domain.
Our real-life use case would already have the root and chain certificate installed.