Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected'
Asked Answered
M

27

415

We just upgraded our Visual Studio 2008 projects to Visual Studio 2010. All of our assemblies were strong signed using a Verisign code signing certificate. Since the upgrade we continuously get the following error:

Cannot import the following key file: companyname.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_3E185446540E7F7A

This happens on some developer machines and not others. Some methods used to fix this that worked some of the time include:

  • Re-installing the key file from Windows Explorer (right click on the PFX file and click Install)
  • Installing Visual Studio 2010 on a fresh machine for the first time prompts you for the password the first time you open the project, and then it works. On machines upgraded from Visual Studio 2008, you don't get this option.

I've tried using the SN.EXE utility (Strong Name Tool) to register the key with the Strong Name CSP as the error message suggests, but whenever I run the tool with any options using the version that came with Visual Studio 2010, SN.EXE just lists its command line arguments instead of doing anything. This happens regardless of what arguments I supply.

Why is this happening, and what are clear steps to fix it? I'm about to give up on ClickOnce installs and Microsoft code signing.

Millman answered 12/5, 2010 at 0:29 Comment(0)
K
479

I was running into this problem as well. I was able to resolve the issue by running
sn -i <KeyFile> <ContainerName> (installs key pair into a named container).

sn is usually installed as part of a Windows SDK. For example C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin\NETFX 4.0 Tools\sn.exe. Most likely this location is not on the search path for your standard environment. However, the "Developer Command Prompt" installed by Visual Studio adds additional information that usually includes the correct location.

Based on your post that would look like

sn -i companyname.pfx VS_KEY_3E185446540E7F7A

This must be run from the location of your PFX file, if you have the solution loaded in VS 2010 you can simply right click on the pfx file from the solution explorer and choose Open Command Prompt which will launch the .net 2010 cmd prompt tool in the correct directory.

Before running this sn command I did re-install the pfx by right clicking on it and choosing install however that did not work. Just something to note as it might be the combination of both that provided the solution.

Kakemono answered 14/5, 2010 at 20:52 Comment(14)
Thanks Brandon - yes this, like the manual re-install of the key file "sort of" solves the problem. The issue is that as soon as you check in the key file, any other users that get latest on this checked in key file are now going to experience this bug. If any of those users check in their "fix" and I get latest, then my machine is now broken again... and so on. Microsoft have started a trouble ticket on this and assigned it to the VS2010 team and the VSS team.Millman
Interesting. I did not run into that problem when adding the pfx to the new CSP. To my knowledge SN -i does not change the pfx file so you shouldn't have to check anything in afterwards. However if you were to change the pfx file in anyway such as resetting the password, that would cause an issue since it would change the pfx file. Does your solution build with that pfx file from any other machine? If so then the pfx file is correct just not set to the correct CSP on your machine that is having build issues.Kakemono
At first I tried only the sn -i part but it complained that the password was incorrect (though it was correct). I removed the certificate, reinstalled it and then sn -i... worked. Basically confirming that for me, both steps were required. Reinstall cert then execute the sn command.Anesthetic
I've found in both VSS and TFS that if you run the sn -i command it doesn't work unless you have the PFX file checked out, and when you check it in it doesn't work for other developers on the network. I'll have to try the re-install cert then run the sn -i command. We need it to work on all developer machines in the office.Millman
Brandon's workaround worked for me and allowed me to properly publish our ClickOnce application. I did not need to have the PFX file checked out in TFS to for this to work either. Thanks!Ezmeralda
This worked for me as well, however I never had to do this in the past. VS used to just pop up and ask for the password for each key. What has changed?Hadwin
If you get prompted for the password and don't know it - just try clicking Enter. The PFX may not have a password, but sn.exe will always prompt for one.Nubianubian
Check Stefan De Bruijn comment below https://mcmap.net/q/86167/-cannot-import-the-keyfile-39-blah-pfx-39-error-39-the-keyfile-may-be-password-protected-39 He links to this article: blogs.msdn.com/b/andrekl/archive/2008/01/08/… which still works for VS 2013Gandy
I read from another blog article which went with this solution... if you tried to install it under a different user on the same machine, you need to delete this key container first from all other users on that same machine before this command will work. Hope this saves someone else some time.Slambang
This answer provided me with the clue to resolve my issue. I ran this command on my .pfx and container instance and got "Failed to install key pair - Object Already Exists." That reminded me that the key container directory on my system is locked down for just administrators. If this is the case, be sure the account running VS has access to c:\Program Data\Microsoft\Crypto\RSA directory.Unbuckle
Developer Command Prompt ran with errors, had to run it from the regular CMD window with the path to SN.exe.Umbelliferous
It is important that the Vs instance is running as Administrator too. Otherwise, even if the key is added properly in the container and the certificates are fine. Vs cannot build properly. By default in Windows 10 Vs versions run with low privileges.Hyaloid
I get this error: Failed to install key pair -- Object already exists. When I delete the pair and add it again, the problem persists.Ambi
I kept on getting the Failed to install key pair -- Object already exists. error trying to execute the command sn -i mycert.pdf VS_KEY_xyz. I resolved it by first removing the certificate from the Signing tab of my project, then running the command sn -d VS_KEY_xyz. After that I was able to successfully re-register the certificate with sn -i mycert.pdf VS_KEY_xyz, select it again on the Signing tab and rebuild my project.Snipes
F
137

I've discovered a fix that helps you be able to build successfully in a multi developer environment:

Instead of changing the password (which causes the .pfx to be changed), reselect the .pfx file from the combobox. This then invokes the password dialog. After entering the password, the project will build OK. Every dev can do this on his local machine without actually modifying the .pfx file.

I'm still having problems getting assemblies to be signed on our build server machine. I'm getting the same error there, however using the sn.exe -i method does not fix the problem for the buildserver.

Fogle answered 7/7, 2010 at 15:1 Comment(8)
Spent a while failing to get this working on our TFS build server too, realised I was logged on as myself, not as the build service account, no wonder it was unable to find it - doh!Pantelegraph
This should be marked as the answer as the answer that is currently marked will not work in a multi-developer environment. Well done.Histamine
If you are using the same .pfx file to sign multiple assemblies / projects within one solution, you only need to do this step on one project and it will apply to all of them. Works great.Sanctimonious
On Visual Studio 2012 you do this by rightclicking the containing project, select Signing and then "Select from File..." and navigate to the file in question.Delvecchio
My problem was that the build server was running under a local account. I went into the options and changed, but didn't realize that I changed it in the wrong spot - which led me to troubleshoot for hours until I checked it again and realized my mistake!Threshold
This won't work for certificates with a blank password.Jotham
Brilliant thanks. Sad to see this is still a workaround in 2017 though.Rosaleerosaleen
It worked for us, basically we had a shared project through Git, and a signed DLL via a pfx key, no password. I was able to use it, colleague was not ("Failed to import key" was the error). We did this workaround by unchecking the key, select new key, recompile. It worked then.Wheeling
N
49

I had the same issue and deleting the store and reading didn't work. I had to do the following.

  • Get a copy of OpenSSL. It is available for Windows. Or use a Linux box as they all pretty much all have it.

  • Run the following to export to a key file:

    openssl pkcs12 -in certfile.pfx -out backupcertfile.key
    
    openssl pkcs12 -export -out certfiletosignwith.pfx -keysig -in backupcertfile.key
    

Then in the project properties you can use the PFX file.

Nanoid answered 15/11, 2011 at 1:5 Comment(8)
Thank you!! I think this worked for me. I grabbed openssl here: gnuwin32.sourceforge.net/packages/openssl.htmExcruciating
I'd like to add the option to include the actual certificate in the pfx: openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt -keysig -keyexColumbite
Make sure to run openssl as an administrator, else you'll get the error "unable to write 'random state'" Also: I still had to do Brandon Manchester's answer with the "sn -i ..." thing after doing the openssl thing.Depose
Identical to an answer to Error when using Visual Studio 2010 for assembly signing: “An attempt was made to reference a token that does not exist”.Radiation
This is the only solution, which finally worked me. Thanks!China
THIS worked for me when nothing else would! VS 2019. Thank you!!Boucicault
this worked also for me, tried a lot of other stuff first, thanks!Aorta
support.comodo.com/index.php?/Knowledgebase/Article/View/1152/7/… This website has clear instructionNisen
R
40

I spoke too soon! Rebuild brought the errors back into play...

I found this works - right click in Solution Explorer and exclude it from the project. Click Show all files, right click and now include it in the project again. Now undo pending changes...

For some reason this sorted it out for me and was relatively painless!

Redintegrate answered 27/7, 2011 at 13:40 Comment(6)
Takin' it back, didnt help. Didn't realize it removed the pfx from project settings. I think the answer lies in the answer from Stefan https://mcmap.net/q/86167/-cannot-import-the-keyfile-39-blah-pfx-39-error-39-the-keyfile-may-be-password-protected-39Caecilian
This answer is great. It worked for me, and it's so easy.Quantum
Worked for me (VS2017 15.7.4). Thank you for the nice & quick solution.Ichinomiya
Worked for me on VS2019 16.1.3. Thanks!!Worker
Holy cow. This somehow worked for me after removing the certificate chaining information, installing the Strong Name CPS container, and all the other answers. VS 2022 .Net Framework 4.6.2 ClickOnceAssessment
Okay I just wanna give you a hearty thank you, and an equally hearty wtf??? because that sure workedJudejudea
T
37

I found that in some cases you should try to delete this key before you install it. So do the following:

  1. sn -d VS_XXXX
  2. sn -i mykey.pfx VS_XXX
Turnery answered 22/6, 2011 at 16:53 Comment(3)
This fixed it for me! The install by itself was failing with object already exists.Handel
I tried that too and it didn't help. Could something be wrong with the certificate itself?Ambi
Thank you, removal has to be done as admin -- if run as regular user one gets misleading error "Strong name key container not found".Mission
C
31

VSCommands 2010 (plugin for Visual Studio) can fix this for you automatically - just right-click on error and click Apply Fix from the menu. You can get it from Visual Studio gallery.

Cognition answered 8/8, 2010 at 9:26 Comment(3)
I believe this is for the pro version - don't have this option in my lite versionMorphosis
The version I just downloaded (in Sept 2011) came with this option.Kidwell
It still requires a pro license.Cognac
B
29

After trying all these solutions (and a lot more), I found that the problem lies somewhere else. For people that go through the same misery as me after buying a certificate, I'll share the solution for my problem.

Behavior

I understand that 'sign' applies a strong name and not an authenticode to a DLL or EXE. This is why signtool will work in this case, but 'sign' in Visual studio will not work.

Reason

In the past I've had experience with certificates from Verisign. They have a KeySpec=2 in the certificate - which is used with the 'sign' functionality in Visual Studio. These certificates work fine for both Visual Studio and signtool.

I now bought certificates from Comodo, which have an incorrect KeySpec=1 in the code signing certificates. That means these certificates work fine with signtool (authenticode) but not with strong naming (the sign drop-down).

Solution

There are two ways to solve this issue:

  1. Create a separate certificate for your strong name using sn -k [name].snk. Sign the assembly using the snk and afterwards use signtool with your code signing certificate to do sign the DLL/EXE with the authenticode signature. While this seems strange, from what I understand this is a correct way to deal with certificates, because strong names have a different purpose than authenticode (see also this link for details on how this works).
  2. Import your certificate as KeySpec=2. The procedure for this is detailed here.

Because I want to use multiple strong names, I currently use option (1), although option (2) also works.


To ensure this solution will never get lost in the future, here's the procedure of solution 2:

  1. Using the "Certifiates" MMC export the existing keyset (KeySpec=1) to a PFX file. Note: Please backup this file to a safe location and test if the file can be imported ok on another machine if you really want to play it safe!
  2. Delete the existing certificate from the crypto store (stlll using the MMC).
  3. Open a CMD prompt.
  4. Import the PFX file using this command:
    1. certutil -importPFX -user <pfxfilename> AT_SIGNATURE
    2. Enter the passphrase for the pfx when prompted.

You now should have a keyset/certificate with KeySpec=2. If needed you can now export this into another PFX file using the MMC again.

Bettencourt answered 1/2, 2013 at 10:58 Comment(5)
Your #2 solution was the only thing that worked for me (without using a secondary commandline tool or process) Thanks.Gandy
Yeah, I really don't understand why some solutions here have so many votes; this is really the only thing that worked for me, and I'm pretty sure most people that buy a CS certificate should have the same issue. Oh well...Bettencourt
This is the only solution worked for me. Also, the .pfx file cannot include certificate chaining information for signing assemblies.Salt
Thank you for such a detailed instruction. Every step is described precisely.Bise
Your 1st solution is critical to understand here: there's absolutely no need to strong-sign assemblies with an expensive password-protected certificate! Once you understand this, and simply use an snk file, this problem goes away entirely. See the warning note here and here.Rosie
N
16

To resolve this problem in Visual Studio 2012, I right click the project, properties -> "signing", and then uncheck the "Sign the ClickOnce manifests".

Neurotic answered 17/4, 2014 at 5:46 Comment(1)
This is a perfect answer if there is no need for the signing. It will remove the need for the project to be signed.Blanco
C
11

I reselected the Key(pfx) file in the "Choose a Strong Name Key File" drop-down box, Then provided password in the "ENTER PASSWORD" Popup Window. Saved my project and did rebuild.build succeeded.

  • Open Project Properties.
  • Click on the Signing section.
  • Where it says ‘Choose a strong name key file:’, reselect the current value from the drop-down box:

enter image description here

  • Visual Studio will now prompt you for the password. Enter it.

enter image description here

  • Save your project and do a rebuild.

  • If get error message:”An attempt was made to reference a token that does not exist” just ignore it and Continue the below steps

  • Click the ‘Change Password” button:

enter image description here

  • Enter the original password in all three boxes and click OK. If you’d like to change your password (or if your old password doesn’t meet complexity requirements), you can do so now.

  • Save your project and do a rebuild.

More Info..

Calciferol answered 29/7, 2015 at 7:10 Comment(1)
This whole error seems like it's completely random to solve, but this solution worked for me. If anyone else gets this far down the page, I can only suggest trying everything.Supernormal
L
6

As a workaround, I tried running the Visual Studio 2010 as an administrator, and it worked for me.

I hope this helps.

Loferski answered 25/5, 2010 at 15:59 Comment(1)
It for some reason stopped working. I could not believe that this actually solved the issue. Thank you!!!Hercegovina
A
4

As the original author of the work around on the connect bug report, there are TWO variants of this message (I've discovered later)

For one variant you use sn.exe (usually if you are doing strong naming) to import the key to the strong naming store.

The other variant for which you use certmgr to import is when you're codesigning for things like click-once deployment (note you can use the same cert for both purposes).

Hope this helps.

Archdeaconry answered 20/5, 2010 at 21:52 Comment(1)
Yeah, we tried that one with Microsoft support as well, and that's the way to do the code signing import. The problem really seems to be that the certificate password gets lost during the checkin process source safe. But this doesn't look to be the real problem. It looks if you enter the certificate details on Widnows 7 machine #1, and then move that exact same file to a different machine and register it, the registration will work, but the build will fail. Microsoft are still looking into it for us. For now we had to disable code signing and sign manually during release.Millman
E
3

Nothing worked for me, but then I went and looked into the certificate manager (mmc.exe). The certificate was not imported in the personal store, so I imported it manually and then the project compiled.

See ClickOnce Manifest Signing and Strong-Name Assembly Signing Using Visual Studio Project Designer's Signing Page, Signing Assemblies.

Embower answered 19/5, 2012 at 13:22 Comment(1)
This solved the issue for me as well after doing the SN.exe -i fix.Phone
P
3

This Solved my problem: Open your VS Project

Double click on Package.appxmanifest

Go to Packaging tab

click choose certificate

click configure certificate

select from file and use example.pfx that unity or anything else created

Phyllida answered 29/4, 2018 at 1:15 Comment(0)
F
2

I had the same problem after moving my Windows installation to an SSD. None of the other solutions worked for me.

My solution was to open the project file in Notepad and remove all references to PFX keys. Once the file is saved, open the solution in Visual Studio. Go to project -> Properties -> Signing. You shouldn't see any keys listed in the 'choose the strong name key file' combo box. In the combo box, browse to the key, select it and your project can now be built.

Furmark answered 10/8, 2011 at 12:17 Comment(0)
C
2

I had a similar issue, but after selecting the pfx in a "Strong name key file" ComboBox and typing the password I still got a similar error (without the container name part):

Cannot import the following key file: companyname.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate

Also, the "Sign the ClickOnce manifests" certificate information panel wasn't populated.

I did "Select from File..." on my pfx, and it solved the problem.

Cresting answered 23/11, 2011 at 23:18 Comment(0)
B
2

Reselecting key file in a combobox and entering password helps on this for us.

But it is needed to do each time the key file changes and it seems to be not OK.

Bora answered 23/12, 2011 at 11:8 Comment(0)
Z
2

My problem was that the TFS Build Controller was running as a network service and for some reason I didn't understand why the Visual Studio Build Host service certificates were not being used. I changed the identity of the Visual Studio Build service to something more manageable, made sure it had rights on the TFS server, and manually added the certificates using the MMC.

The problem was also that MSBuild can't add the password protected certificates to the store.

Zaria answered 12/1, 2012 at 12:6 Comment(2)
Which store do you need to add it to??Corium
I did the same (and also put certs in this users Personal/Trusted Root/Trusted Pub ..not sure which fixed it) and was able to move onto the next TFS error that i had conflicting workspaces, so to rectify that i also had to remove and add a new build agent.Corium
B
1

Okay, this worked for me. Open the old solution/project as an administrator in Visual Studio 2010 and open the new or copied solution/project. As an administrator, remove the copied pfk file in the new Visual Studio 2010 solution/project and go to project properties and unselect it.

With both projects open, copy paste to the new one. Go to project properties and select Build. I opened and closed Visual Studio and also after removing from the new project built it before copying it from the old project and selecting it. I received the error at the start of this post first up when I copied the project and tried to build it.

Brindabrindell answered 15/4, 2011 at 2:9 Comment(0)
T
1

All methods described here didn't help me. But when I deleted the *.pfx file from my project and added it to the assembly's signing again, I built my project with without any error! I can't explain reasons why. But it worked for me.

Tjader answered 20/3, 2013 at 6:50 Comment(0)
J
1

In my scenario the build service was not using the same user account that I imported the key with using sn.exe.

After changing the account to my administrator account, everything is working just fine.

Jotham answered 3/11, 2014 at 17:25 Comment(1)
I was having same issue, reading your comment pointed me to the fact that I had upgraded to windows 10 from windows 7 and now VS required to be run as Admin. So ran the VS as admin and no problems..Thanks for the pointerIngvar
D
1

Unfortunately, no approached mentioned here worked for me. I have to register couple PFX in a docker container and I need to pass the password via command line.

So I re-developed the sn.exe -i <infile> <container> command in C# using the RSACryptoServiceProvider. The source and the app are on GitHub in the SnInstallPfx project.

The SnInstallPfx app accepts a PFX key and its password. It computes the key container name (VS_KEY_*) automatically (borrowed from MSBuild source code) and installs it to the strong name CSP.

Usage:

SnInstallPfx.exe <pfx_infile> <pfx_password>
// or pass a container name if the default is not what you need (e.g. C++)
SnInstallPfx.exe <pfx_infile> <pfx_password> <container_name>
Dichotomous answered 27/11, 2019 at 16:46 Comment(0)
T
1

For whom is using GitLab runners:

  • Be sure to run the runner with an account that you can logon to: ./gitlab-runner.exe install --user ".\ENTER-YOUR-USERNAME" --password "ENTER-YOUR-PASSWORD" (I had to stop and uninstall first)
  • follow this guide to grant the build user permission to login as a service
  • logon with such build user
  • use the command suggested in other answers: sn -i certificate.pfx VS_KEY_C***6

the container name is suggested in the failed Job output on GitLab (msbuild output) enter image description here

Tellurate answered 12/12, 2019 at 17:16 Comment(0)
P
1

I know this is an old question but most answers do not work on other devops system anymore. VS_KEY_xxx is different on VMs so that we cannot use sn.exe.

This is the yaml script I used in GitHub Actions to build my VSTO project, which required ClickOnce. Actually only need two lines of powershell after "run:":

- name: Import certificate
  shell: pwsh
  run: |
    $Secure_String_Pwd = ConvertTo-SecureString "<Password>" -AsPlainText -Force
    Import-PfxCertificate -FilePath '${{github.workspace}}\project\project1_TemporaryKey.pfx' -CertStoreLocation Cert:\CurrentUser\My -Password $Secure_String_Pwd
Pean answered 5/1, 2023 at 6:43 Comment(1)
Thank you for your answer, @Pean this was the only thing that would work for me.Recapture
F
1

On my build machine it was not enough to register the certificate using sn.exe, it was also required to install the certificate through the Certificate Manager (certmgr.exe):

  1. Install key pair with sn.exe -i <pfx_file> <key_container_name_from_error_message>. The full path to sn.exe is specific to .NET version: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX X.X.X Tools\sn.exe.
  2. Open the Certificate Manager with the command certmgr.msc.
  3. Right click on "Certificates" under "Personal" item and chose "All Tasks - Import...", chose your pfx

enter image description here

  1. Make sure to check radiobutton "Place all certificates in the following store" - "Personal"

You must install it under the user who will be accessing the certificate as it was mentioned by @michele-mpp-marostica in his answer above

Flotow answered 20/7, 2023 at 7:10 Comment(0)
S
0

I got the same error. In my case, I tried all of the above, but I couldn't get the result.

I finally realized that in my case, the reason for the error was that the certificate password was not entered or entered incorrectly. The error disappeared when I entered the password dynamically correctly. successful

Settlings answered 15/7, 2019 at 12:10 Comment(0)
A
0

In Visual Studio 2019 and a .Net 5 project the solution to this problem for me was to just exclude the .pfx file from my solution and it immediately worked.

Afore answered 26/4, 2021 at 12:16 Comment(0)
C
-2

I solved this issue for myself by changing the following line in the Visual Studio project's .csproj file:

This threw the 'cannot import' error:

<PropertyGroup>
<SignManifests>true</SignManifests>
</PropertyGroup>

Changing the value to false made the error go away.

Chavarria answered 19/2, 2015 at 15:5 Comment(1)
Usually assemblies are signed for purpose, and removing SignManifests would cause troubles in deployment in some environments. So it's not a solution for a problemChildress

© 2022 - 2024 — McMap. All rights reserved.