Creating an X509Certificate2 under IIS throws 'The system cannot find the file specified'

iis, windows, windows server, certificates

This exception had me scratching my head for a good 30 minutes until the power of Bing (yes, Bing!) gave me the answer:

System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

The code I'm using looks a lilttle bit like this:

using (var stream = assembly.GetManifestResourceStream(certificateResourceStreamName))
{
    var certificateBytes = ReadStream(stream);
    X509Certificate2 certificate = new X509Certificate2(certificateBytes, certificatePrivateKey);
               
    return certificate;
}

When this code was run, and the exception thrown, I was flummoxed and ended up adding many lines of diagnostics to try and establish what was going wrong. There's a stackoverflow question for the same exception, with the same stack trace (CryptographicException was unhandled: System cannot find the specified file) but my issue wasn't the same as that which the OP stated theirs was in comments on the question.

In my case, the code is running in IIS under an ApplicationPoolIdentity user and there is a non-standard configuration for the application pool. Here's the Process Model settings for the pool on the server in question:

An application pool with 'Load User Profile' set to False

And here's the same on a server that's not wonky:

An application pool with 'Load User Profile' set to True

As soon as I changed the Load User Profile setting to True, the code started working and I was able to move onto the next problem. There's an answer on the stackoverflow question (that has more up-votes than the rest of the answers on the question, and the question itself, combined) that told me what the problem was. Based on the very high number of up-votes, this is something people are seeing reasonably often!

About Rob

I've been interested in computing since the day my Dad purchased his first business PC (an Amstrad PC 1640 for anyone interested) which introduced me to MS-DOS batch programming and BASIC.

My skillset has matured somewhat since then, which you'll probably see from the posts here. You can read a bit more about me on the about page of the site, or check out some of the other posts on my areas of interest.

7 Comments

  • Gravatar Image

    Thanks Rob - Saved my bacon!

    - It's a really unhelpful error message, and it really gets you double-checking the paths to the .p12 files when you really don't have to!

  • Gravatar Image

    After trying to give pool permission for user, I changed the Load User Profile setting to True and it worked. Thanks for make my day

  • Gravatar Image

    Hi Rob,

    My web application is installed on azure and i haven't found how to configure this in a web app. Can you help me?

  • Gravatar Image

    THANKS!

    This fixed my issue

  • Gravatar Image

    muchas gracias por su aporte ROB,
    en nuestro caso la solucion tiene 2 pasos:
    1: el patch del certificado debe ser ABSOLUTO desde C:\sdsds\\xxx.p12
    2: en el poolAplication del IIS se configura tal como indica arriba
    saludos

  • Gravatar Image

    Thank you for your article. It saves me a lot of time. The message says nothing about how to resolve the error.

  • Gravatar Image

    Thanks Rob,


    It is working for me also

Add a Comment