I am trying to load a certificate from a pfx file in a WPF application and it gives me an access denied error.

using (FileStream stream = System.IO.File.OpenRead(certificatePath))
{
    using (BinaryReader reader = new BinaryReader(stream))
    {
        buffer = reader.ReadBytes((int)stream.Length);
    }
}

X509Certificate2 certificate = new X509Certificate2(buffer, password);

System.Security.Cryptography.CryptographicException: Access denied.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password) at HelloWorld.HelloClient.Models.Infrastructure.ReadCertificateFromPfxFile(String certificatePath, String password)

The last line in snippet is causing an exception, and if I run it as an administrator it works fine. The issue seems to be the default constructor of X509Certificate2 tries to put private key in the user store. I am not using web application. this post doesn't resolve my issue. I think the current user might not have access to his own private key store. But how can I give that access?

Posting a fix if someone looking for a solution for similar issue. I ran sysinternal process monitor and realized the constructor call was creating a key in machine key folder and gave user access to write on machine key.

In my situation, it was due to the lack of write access to the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder.

My user was having only having the Read Access and once I granted the Write access it worked fine.

Posting a fix if someone looking for a solution for similar issue. I ran sysinternal process monitor and realized the constructor call was creating a key in machine key folder and gave user access to write on machine key.

Getting the same CryptographicException: Access denied error when trying to load X509Certificate2, the solution is to grant read/write to the *MachineKeys * directory.

1. open a CMD or Powershell with Admin priv.
2. execute below command to grant everyone read/write: icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /inheritance:r /grant Administrators:F /grant:r Everyone:RW

More about permission on this dir: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/default-permissions-machinekeys-folders

Just in case it helps someone, "CryptographicException: Access denied" can be caused by lack of space in the disc, that was my case.

A possible fix - If somebody is using visual studio by any chance and face this issue, make sure that you are running visual studio with admin rights and if admin has write permission for the related directory.

Leaving this here incase it helps someone:

In our case this was caused by a was a misconfiguration in our CSP provider while importing PFX.

In the ProviderName key we had a value of Microsoft Strong Cryptographic Provider, changing this to Microsoft Software Key Storage Provider, Microsoft Enhanced RSA or AES Cryptographic Provider seem to fix this.

I found it's easier to use the p12 certificate because it doesn't use the key store. I used firefox to convert pfx to p12.