PRB: X509Certificate Supports Only DER-Encoded Certificates (318217)


The information in this article applies to:

  • Microsoft .NET Framework Class Libraries 1.0
  • Microsoft .NET Framework Class Libraries 1.1
This article was previously published under Q318217
This article refers to the following Microsoft .NET Framework Class Library namespaces:
  • System.IO
  • System.Security.Cryptography.X509Certificates
  • System.Text

SYMPTOMS

When you use the System.Security.Cryptography.X509Certificates.X509Certificate class, you may receive the following error message:
Input data cannot be coded as a valid certificate.
This problem occurs if one of the following conditions is true:
  • You use the X509Certificate constructor and pass an array of bytes that are read from a Base64-encoded X.509 (.cer) file to the X509Certificate constructor. -or-

  • You use the X509Certificate.CreateFromCertFile method and pass in the path to a Base64-encoded X.509 (.cer) file.

CAUSE

This problem occurs because the X509Certificate class only supports binary X.509 (.cer) certificates that are encoded in Distinguished Encoding Rules (DER).

RESOLUTION

If the certificate is Base64-encoded, follow these steps to resolve this problem:
  1. Remove the following strings from the certificate data:

    -----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

  2. Decode the Base64 certificate data. For example, the following Visual C# sample code decodes Base64 certificate data:
    using System;
using System.IO;
using System.Security.Cryptography.X509Certificates;
using System.Text;

namespace ReadBase64Cert
{
    public class ReadBase64Cert
    {
        public ReadBase64Cert()
        {
        }
        public static void Main(string[] args)
        {
            if (args.Length < 1)
            {
                Console.WriteLine("Usage: Base64EncodedFile (.cer)\n");
                return;
            }

            // args[0] - Base64Encoded .cer file

            // Open the certificate, and read it into a byte array.
            FileStream certFile = new FileStream(args[0],
                FileMode.Open,
                FileAccess.Read);
            int size = (int)certFile.Length;
            byte[] certBytes = new byte[size];
            size = certFile.Read(certBytes, 0, size);
            certFile.Close();
    
            // Remove the unnecessary characters.
            String certString = Encoding.ASCII.GetString(certBytes);
            StringBuilder sb = new StringBuilder(certString);
            sb.Replace("-----BEGIN CERTIFICATE-----", "");
            sb.Replace("-----END CERTIFICATE-----", "");
    
            // Decode the bytes from base64 to raw bytes.
            certBytes = Convert.FromBase64String(sb.ToString());
            X509Certificate cert = new X509Certificate(certBytes);
            Console.WriteLine(cert.GetName()); 
        }
    }
}

STATUS

This behavior is by design.
Modification Type:MajorLast Reviewed:10/20/2003
Keywords:kbCrypt kbKernBase kbprb kbSecurity KB318217 kbAudDeveloper
©2003 Microsoft Corporation. All rights reserved.