Ask a Question

Certificate.LoadPfx always generates an exception with "PFX password is not valid"

0 votes
by (130 points)

Dear support,

We are about to buy a license of the websocket module. However, using the trial version, we are facing a problem when loading a certificate to be used for client authentication of the secure web socket.

The following code always returns "PFX password is not valid", even if we use a pfx file with an empty password:

                        Certificate certificate = null;
                        try
                        {
                            certificate = Certificate.LoadPfx(clientCertificatePath, string.Empty);
                        }
                        catch (Exception ex)
                        {
                            Console.WriteLine("Error loading client certificate: {0}", ex.Message);
                        }

Any reason why the LoadPfx method always throws this exception?

Best regards,

Didier Guillemyn.

Applies to: Rebex WebSocket
by (130 points)
Note that I use the .NET CF 3.5 Websocket component.

1 Answer

+1 vote
by (148k points)

On Windows CE, the LoadPfx method uses Windows API functions to load the PFX file. During this process, if the PFXVerifyPassword Windows API function call returns FALSE (indicating that the password does not appear correct), the LoadPfx method throws the "PFX password is not valid" exception.

Apparently, it's possible for this error to get reported even if the password is correct. For example, if the PFX is protected to an Active Directory principal, or if it uses some ciphers that are not yet supported by the Windows OS, the "PFX password is not valid" exception would be raised as well.

Try loading the PFX in an app using the normal (non-CF) .NET Framework - does that work? If it does, save it to another .PFX file, and try using that file in .NET CF 3.5:

using (var cert = Certificate.LoadPfx(clientCertificatePath, string.Empty))
{
    cert.Save(clientCertificatePath2, CertificateFormat.Pfx, string.Empty);
}
by (130 points)
Thanks Lukas,

This was indeed the issue!

I'll continue now with ordering the .NET CF Websocket module :-)

Br,

Didier.
by (130 points)
FYI: I could solve the problem also by generating a "legacy" pfx file, using the following openssl command:
openssl pkcs12 -export -out client_legacy.pfx -inkey client.key -in client.crt -certfile ca.crt -legacy
...