Cannot import the keyfile blah pfx - error The keyfile may be password protected

Question

We just upgraded our Visual Studio 2008 projects to Visual Studio 2010  All of our assemblies were strong signed using a Verisign code signing certificate  Since the upgrade we continuously get the following error      Cannot import the following key file  companyname pfx  The key file may be password protected  To correct this  try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name  VS KEY 3E185446540E7F7A    This happens on some developer machines and not others  Some methods used to fix this that worked some of the time include    Re-installing the key file from Windows Explorer  right click on the PFX file and click Install  Installing Visual Studio 2010 on a fresh machine for the first time prompts you for the password the first time you open the project  and then it works  On machines upgraded from Visual nbsp Studio nbsp 2008  you don t get this option    I ve tried using the SN EXE utility  Strong Name Tool  to register the key with the Strong Name CSP as the error message suggests  but whenever I run the tool with any options using the version that came with Visual Studio 2010  SN EXE just lists its command line arguments instead of doing anything  This happens regardless of what arguments I supply   Why is this happening  and what are clear steps to fix it   I m about to give up on ClickOnce installs and Microsoft code signing

User · Answer

I spoke too soon  Rebuild brought the errors back into play     I found this works - right click in Solution Explorer and exclude it from the project  Click Show all files  right click and now include it in the project again  Now undo pending changes     For some reason this sorted it out for me and was relatively painless

User · Answer

Unfortunately  no approached mentioned here worked for me  I have to register couple PFX in a docker container and I need to pass the password via command line    So I re-developed the  sn exe -i  lt infile gt   lt container gt  command in C  using the RSACryptoServiceProvider  The source and the app are on GitHub in the SnInstallPfx project   The SnInstallPfx app accepts a PFX key and its password  It computes the key container name  VS KEY    automatically  borrowed from MSBuild source code  and installs it to the strong name CSP   Usage   SnInstallPfx exe  lt pfx infile gt   lt pfx password gt     or pass a container name if the default is not what you need  e g  C    SnInstallPfx exe  lt pfx infile gt   lt pfx password gt   lt container name gt

User · Answer

I had the same issue and deleting the store and reading didn t work  I had to do the following    Get a copy of OpenSSL  It is available for Windows  Or use a Linux box as they all pretty much all have it  Run the following to export to a key file   openssl pkcs12 -in certfile pfx -out backupcertfile key  openssl pkcs12 -export -out certfiletosignwith pfx -keysig -in backupcertfile key    Then in the project properties you can use the PFX file

User · Answer

For whom is using GitLab runners    Be sure to run the runner with an account that you can logon to    gitlab-runner exe install --user    ENTER-YOUR-USERNAME  --password  ENTER-YOUR-PASSWORD   I had to stop and uninstall first  follow this guide to grant the build user permission to login as a service  logon with such build user use the command suggested in other answers  sn -i certificate pfx VS KEY C   6   the container name is suggested in the failed Job output on GitLab  msbuild output

User · Answer

My problem was that the TFS Build Controller was running as a network service and for some reason I didn t understand why the Visual Studio Build Host service certificates were not being used  I changed the identity of the Visual Studio Build service to something more manageable  made sure it had rights on the TFS server  and manually added the certificates using the MMC   The problem was also that MSBuild can t add the password protected certificates to the store

User · Answer

Nothing worked for me  but then I went and looked into the certificate manager  mmc exe   The certificate was not imported in the personal store  so I imported it manually and then the project compiled   See ClickOnce Manifest Signing and Strong-Name Assembly Signing Using Visual Studio Project Designer s Signing Page  Signing Assemblies

User · Answer

I had a similar issue  but after selecting the pfx in a  Strong name key file  ComboBox and typing the password I still got a similar error  without the container name part       Cannot import the following key file  companyname pfx  The key file may be password protected  To correct this  try to import the certificate again or manually install the certificate   Also  the  Sign the ClickOnce manifests  certificate information panel wasn t populated    I did  Select from File     on my pfx  and it solved the problem

User · Answer

I reselected the Key pfx  file in the  Choose a Strong Name Key File  drop-down box  Then provided password in the  ENTER PASSWORD  Popup Window  Saved my project and did rebuild build succeeded     Open Project Properties  Click on the Signing section  Where it says    Choose a strong name key file      reselect the current value from the drop-down box        Visual Studio will now prompt you for the password   Enter it        Save your project and do a rebuild   If get error message    An attempt was made to reference a token that does not exist    just ignore it and  Continue the below steps  Click the    Change Password    button       Enter the original password in all three boxes and click OK  If you   d like to change your password  or if your old password doesn   t meet complexity requirements   you can do so now  Save your project and do a rebuild     More Info

User · Answer

I got the same error  In my case  I tried all of the above  but I couldn t get the result   I finally realized that in my case  the reason for the error was that the certificate password was not entered or entered incorrectly  The error disappeared when I entered the password dynamically correctly  successful

User · Answer

This Solved my problem  Open your VS Project  Double click on Package appxmanifest  Go to Packaging tab  click choose certificate  click configure certificate  select from file and use example pfx that unity or anything else created

User · Answer

I was running into this problem as well  I was able to resolve the issue by running sn -i  lt KeyFile gt   lt ContainerName gt   installs key pair into a named container     sn is usually installed as part of a Windows SDK   For example C  Program Files  x86  Microsoft SDKs Windows v8 0A bin NETFX 4 0 Tools sn exe   Most likely this location is not on the search path for your standard environment   However  the  Developer Command Prompt  installed by Visual Studio adds additional information that usually includes the correct location   Based on your post that would look like  sn -i companyname pfx VS KEY 3E185446540E7F7A  This must be run from the location of your PFX file  if you have the solution loaded in VS 2010 you can simply right click on the pfx file from the solution explorer and choose Open Command Prompt which will launch the  net 2010 cmd prompt tool in the correct directory   Before running this sn command I did re-install the pfx by right clicking on it and choosing install however that did not work  Just something to note as it might be the combination of both that provided the solution   Hope this helps solve your problem

User · Answer

I ve discovered a fix that helps you be able to build successfully in a multi developer environment   Instead of changing the password  which causes the  pfx to be changed   reselect the  pfx file from the combobox  This then invokes the password dialog  After entering the password  the project will build OK  Every dev can do this on his local machine without actually modifying the  pfx file   I m still having problems getting assemblies to be signed on our build server machine  I m getting the same error there  however using the sn exe -i method does not fix the problem for the buildserver

User · Answer

After trying all these solutions  and a lot more   I found that the problem lies somewhere else  For people that go through the same misery as me after buying a certificate  I ll share the solution for my problem   Behavior  I understand that  sign  applies a strong name and not an authenticode to a DLL or EXE  This is why signtool will work in this case  but  sign  in Visual studio will not work   Reason  In the past I ve had experience with certificates from Verisign  They have a KeySpec 2 in the certificate - which is used with the  sign  functionality in Visual Studio  These certificates work fine for both Visual Studio and signtool   I now bought certificates from Comodo  which have an incorrect KeySpec 1 in the code signing certificates  That means these certificates work fine with signtool  authenticode  but not with strong naming  the sign drop-down     Solution  There are two ways to solve this issue    Create a separate certificate for your strong name using sn -k  name  snk  Sign the assembly using the snk and afterwards use signtool with your code signing certificate to do sign the DLL EXE with the authenticode signature  While this seems strange  from what I understand this is a correct way to deal with certificates  because strong names have a different purpose than authenticode  see also this link for details on how this works   Import your certificate as KeySpec 2  The procedure for this is detailed here    Because I want to use multiple strong names  I currently use option  1   although option  2  also works     To ensure this solution will never get lost in the future  here s the procedure of solution 2    Using the  Certifiates  MMC export the existing keyset  KeySpec 1  to a PFX file  Note  Please backup this file to a safe location and test if the file can be imported ok on another machine if you really want to play it safe  Delete the existing certificate from the crypto store  stlll using the MMC   Open a CMD prompt  Import the PFX file using this command    certutil -importPFX -user  lt pfxfilename gt  AT SIGNATURE Enter the passphrase for the pfx when prompted     You now should have a keyset certificate with KeySpec 2  If needed you can now export this into another PFX file using the MMC again

User · Answer

In my scenario the build service was not using the same user account that I imported the key with using sn exe   After changing the account to my administrator account  everything is working just fine

User · Answer

VSCommands 2010  plugin for Visual Studio  can fix this for you automatically - just right-click on error and click Apply Fix from the menu  You can get it from Visual Studio gallery

User · Answer

As a workaround  I tried running the Visual nbsp Studio nbsp 2010 as an administrator  and it worked for me   I hope this helps

User · Answer

I found that in some cases you should try to delete this key before you install it  So do the following    sn -d VS XXXX sn -i mykey pfx VS XXX

User · Answer

To resolve this problem in Visual nbsp Studio nbsp 2012  I right click the project  properties -   signing   and then uncheck the  Sign the ClickOnce manifests

User · Answer

I had the same problem after moving my Windows installation to an SSD  None of the other solutions worked for me   My solution was to open the project file in Notepad and remove all references to PFX keys  Once the file is saved  open the solution in Visual Studio  Go to project -  Properties -  Signing  You shouldn t see any keys listed in the  choose the strong name key file  combo box  In the combo box  browse to the key  select it and your project can now be built

User · Answer

Reselecting key file in a combobox and entering password helps on this for us    But it is needed to do each time the key file changes and it seems to be not OK

User · Answer

As the original author of the work around on the connect bug report  there are TWO variants of this message  I ve discovered later   For one variant you use sn exe  usually if you are doing strong naming  to import the key to the strong naming store    The other variant for which you use certmgr to import is when you re codesigning for things like click-once deployment  note you can use the same cert for both purposes    Hope this helps

User · Answer

Okay  this worked for me  Open the old solution project as an administrator in Visual nbsp Studio nbsp 2010 and open the new or copied solution project  As an administrator  remove the copied pfk file in the new Visual nbsp Studio nbsp 2010 solution project and go to project properties and unselect it   With both projects open  copy paste to the new one  Go to project properties and select Build  I opened and closed Visual nbsp Studio and also after removing from the new project built it before copying it from the old project and selecting it  I received the error at the start of this post first up when I copied the project and tried to build it

User · Answer

All methods described here didn t help me  But when I deleted the   pfx file from my project and added it to the assembly s signing again  I built my project with without any error  I can t explain reasons why  But it worked for me

User · Answer

I solved this issue for myself by changing the following line in the Visual Studio project s  csproj file   This threw the  cannot import  error    lt PropertyGroup gt   lt SignManifests gt true lt  SignManifests gt   lt  PropertyGroup gt    Changing the value to false made the error go away

[visual-studio-2010] Cannot import the keyfile 'blah.pfx' - error 'The keyfile may be password protected'

Examples related to visual-studio-2010

Examples related to visual-studio

Examples related to passwords

Examples related to pfx