Today I stumbled upon a problem instantiating a X509Certificate2 class from a PKCS#12 container (a .pfx or a .p12 file) in production environment. For some reason I kept getting “The specified network password is not correct.” (for password-less containers) or “An internal error occurred.” (for protected ones).
The cause of the problem doesn’t seem to have much to do with the error messages. For some reason the constructor is trying to get access to the private key store although the private key is in stored in the file being opened. By default the user key store is used but ASP.NET (and probably non-interactive Windows services in general) are not allowed to open it. Chances are the user key store for the selected account doesn’t even exist.
One thing you could try is creating a user key store by logging into the account and importing a certificate in its Personal store (and then remove it again).
Another solution is to pass an additional parameter to the constructor – a flag indicating the private keys are (supposed to be) stored in the local computer – X509KeyStorageFlags.MachineKeySet, like this:
var certificate = new X509Certificate2(fileName, password, X509KeyStorageFlags.MachineKeySet);