Archived Forum Post

Index of archived forum posts

Question:

Try to load PFX file into CertStore - Error: Failed to get authenticated safe

Dec 03 '16 at 16:14

Hello Everybody,

I'm using FTP2 version 9.5.0.64, I try to read an private key into a certStore for use with login at a ftp via S-FTP. I just use the code from the example with the method LoadPfxFile wiht correct path and password, but I get the folloging LastErrorText:

ChilkatLog:
  LoadPfxFile:
    DllDate: Nov 12 2016
    ChilkatVersion: 9.5.0.64
    UnlockPrefix: NONE
    Architecture: Little Endian; 32-bit
    Language: ActiveX
    VerboseLogging: 1
    pfxPath: C:\.............\<myfile>.ppk
    importPfxData:
      pkcs12FromDb:
        loadPkcs12Inner:
          verifyHmacIntegrity:
            PFX does not have MacData for integrity verification.
          --verifyHmacIntegrity
          der_to_xml:
            Found primitive SEQUENCE or SETOF in ASN.1!
            ASN data length exceeds remaining number of bytes available.
            tag: 11
            idClass: 0
            bConstructed: 1
            headerLen: 2
            dataLen: 51
            inlen: 48
            Abort ASN.1 processing...
            recursiveDepth: 2
            Abort ASN.1 processing...
            recursiveDepth: 1
          --der_to_xml
          Failed to get authenticated safe.
        --loadPkcs12Inner
      --pkcs12FromDb
    --importPfxData
    Failed.
  --LoadPfxFile
--ChilkatLog

Can you please tell me what's wrong?

---

Answer

A .ppk is a PuTTY private key file (it's not a .pfx/.p12 file). A PFX (PKCS12) file is a format that contains one or more unencrypted certificates and one or more shrouded (encrypted) private keys. Typically, a PFX contains a certificate chain + 1 shrouded private key.

A .ppk however, is an entirely different format, and only contains a private key (no certificate).

Private keys are not stored in a Windows certificate store. Part of the X.509 certificate format is that it embeds the public part of the cert's associated private key. The cert (and its embedded public key) never need to be encrypted. If a .pfx (not .ppk) is "installed" on a Windows system, the certificate is installed into the Windows registry (unencrypted), and the private key is installed to something called the "protected store", which is encrypted.

If you have only a private key (no cert), then it make no sense to "install" it into a certificate store, because that's not what certificate stores contain.