I'm running an ASP.NET Core 8.0 website on a shared HostGator web server that uses Plesk. My website needs to persist keys to its database, which should be encrypted. Since Plesk doesn't allow the accessing of the local machine certificate store from code, I therefore provide the certificate and private key in a .pfx file, and use the EphemeralKeySet setting to store the private key in memory, rather than in the local machine certificate store. The code in Program.cs is as follows:
X509Certificate2 cert = new(certFilePath, certPassword, X509KeyStorageFlags.EphemeralKeySet);
builder.Services.AddDataProtection()
.ProtectKeysWithCertificate(cert)
.PersistKeysToDbContext<ApplicationDbContext>();
However, the above gives the following error:
System.Security.Cryptography.CryptographicException: The specified network password is not correct. at System.Security.Cryptography.X509Certificates.CertificatePal. FilterPFXStore(ReadOnlySpan
1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at System.Security.Cryptography.X509Certificates.CertificatePal. FromBlobOrFile(ReadOnlySpan1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
The password provided is correct, and the code runs without issue in my dev environment. This certificate is just for internal encryption - there's a separate certificate for SSL/TLS communication. Searches on this error are suggesting that the X509Certificate2 constructor still tries to access the local machine certificate store even when the EphemeralKeySet setting is used, and since I don't have access to this store, an error results. Does anyone have any insight on this problem, and how to solve or work around it? I'm new to this area so may be overlooking something obvious. I haven't been able to find this exact issue addressed on SO or elsewhere. Thanks.