Orchestrate your PKI infrastructure and streamline security for your public key certificates.

Click Here

    How to access Certificate’s private key in .NET Framework?

    How to access Certificate’s private key in .NET Framework?
    22 Oct 2021

    How to access Certificate’s private key in .NET Framework?

    Read time: 10 minutes

    Cryptographic Application Programming Interface or CryptoAPI is an application programming interface included with Microsoft Windows operating systems. It was first included in Windows NT 4.0 and provides services that enable developers to use cryptography to protect Windows-based applications. 

    A Cryptographic Service Provider (CSP) is a software library that implements the CryptoAPI in Microsoft Windows. Encoding and decoding functions are implemented by CSPs, which computer application programmes can leverage to establish either strong user authentication or secure email. Each CSP is in charge of the keys it stores and it provides an abstraction layer between the client and the certificate keys. Because CSP maintains keys in an encrypted format, gaining access to the private key raw file will provide you with no relevant information. In this way Microsoft provides key security. Instead of providing raw access to key material (which mitigates key leakage to some extent), you utilize regular CryptoAPI calls and ask a specific CSP to conduct cryptographic operations such as encryption, signing etc. using named key. You can export key material in common formats like PKCS#12 in some circumstances, but not in others. In theory, this notion was designed to safeguard keys from leaks while also making developer’s lives easier by abstracting cryptographic operations via a collection of CryptoAPI functions (the majority of which are specified in the crypt32.dll library) that operate with keys. 

    Cryptography Next Generation (CNG) is the replacement cryptography application programming interface (API) for the original Windows CryptoAPI. The new APIs will allow the use of newer, stronger encryption and signing algorithms when implementing cryptography.

     CNG has the following features that differentiate it from the legacy CryptoAPI:
    1. Auditing: CNG increases auditing abilities to meet Common Criteria requirements.
    2. Certification and Compliance: It is targeting Federal Information Processing Standards (FIPS) 140-2 level 2 certification together with Common Criteria evaluation on selected platforms.
    3. Cryptographic Agility: It will have the ability to deploy new cryptographic algorithms for an existing protocol such as Transport Layer Security/Secure Sockets Layer (TLS/SSL) or to disable algorithms if a vulnerability is found with the specific algorithm.
    4. Kernel Mode Support: CNG supports cryptography in kernel mode. Kernel mode provides better performance for common cryptographic features such as TLS/SSL and IPsec.
    5. Key Storage: CNG provides a model for key storage that supports both legacy and CNG-capable applications.
    6. Key isolation: CNG isolates long-lived keys so that they are never present in the application process.
    ADCS, ADDS, EFS, IIS, RDS, Internet Explorer, and other built-in Windows components and services had native CNG support. In 2006, almost everything that came with Windows OS and wasn’t built on .NET was compatible with CNG. Also, CNG compatibility was added only to a small number of third-party products.
    Let’s now analyse the cryptography stack prior to and following the release of .NET 4.6 

    Prior to .NET 4.6

    Before version 4.6 of the.NET Framework, cryptography support in .NET was limited to Windows and relied on the legacy CryptoAPI library calls. The easiest and probably the only possible way to get access to the certificate’s private key was to write the following code:

    public class Class1 {

         public Class1() {

             var cert = new X509Certificate2(…);

             var privateKey = (RSACryptoServiceProvider)cert.PrivateKey;


             // or



     X509Certificate2 class has a PrivateKey property of AsymmetricAlgorithm type. Actual algorithm implementations are accessed through explicit algorithm groups like as RSA, DSA, ECDsa, and ECDiffieHellman. There was only one platform-specific implementation for these classes. In RSA In it was RSACryptoServiceProvider. So, without a doubt, the prior example worked most of the time. InvalidCastException may be thrown in extremely uncommon circumstances.

    After .NET 4.6

    For a long time after CNG’s release, the.NET team was lambasted for providing inadequate to no CNG support. Despite the fact that CNG has been around for almost 14 years, the whole System Center product line, Exchange Server, ADFS, and many other products still do not support it.  In version 3.5, the.NET team included a very simple CngKey class for accessing CNG storages and keys. This class was not in any manner connected with the X509Certificate2 class.

    Things only became real with the release of version 4.6 of .NET Framework, which dramatically improved CNG support by introducing its implementations for asymmetric key algorithms such as RSACng, DSACng, ECDsaCng, and ECDiffieHellmanCng. You may completely access CNG keys in your.NET applications using these classes. RSA keys are implemented in two ways in.NET: the legacy RSACryptoServiceProvider and the new RSACng. It’ll be difficult to predict where the key is kept at runtime, in CSP or KSP and depending on key storage, a cast to different types is required. Because the RSA abstract class lacked methods to conduct cryptographic operations, this cast must be done at compile time. The .NET Team added cryptographic methods to abstract base classes, allowing you to utilise them without knowing how they were being implemented: legacy CSP or current KSP.

    Rather than correcting the X509Certificate.PrivateKeyproperty, the.NET team provided the following extension methods to the X509Certificate2 class:

    • GetRSAPublicKey(X509Certificate2)

    • GetRSAPrivateKey(X509Certificate2)

    • Each asymmetric key algorithm has two techniques.

    This is the recommended method for accessing public and private keys since version 4.6. What you should know ahead of time is which method to use: RSA, DSA, or ECDsa. You can check it at runtime by looking at the public key’s algorithm OID: X509Certificate2.PublicKey has OID which helps in identifying the asymmetric key algorithm .To get the right key, add this property to the switch statement and call the necessary extension methods.

    Direct access to X509Certificate2.PrivateKey and X509Certificate2.PublicKey is still possible in 4.6. However, the use of these properties is no longer recommended. Only the techniques stated in the extension methods will provide you access to keys.

    These improvements not only resolved CNG support in the X509Certificate2 class, but also aided in migration of the class to.NET Core and other platforms with radically different cryptography subsystems, as well as the addition of platform-specific implementations for asymmetric algorithms. So far, everything has gone well.

    The correct code for accessing certificate’s private key in .NET framework v4.6 and above is as mentioned below:

    public class Class1 {

         public Class1() {

             var cert = new X509Certificate2(…);

             RSA privateKey = cert.GetRSAPrivateKey();

             // use the key




    Over the years the cryptography application programming interface has evolved and with CNG being released it has ensured the use of newer, stronger encryption and signing algorithms when implementing cryptography. Gradually the support for it has also greatly improved in version 4.6 and above of .NET Framework. The above article clearly states the recommended methods of accessing certificate’s private keys in .NET Framework/.NET Core.

    build your own customized PKI infrastructure.

    Want to learn from PKI Experts

    We train some of the biggest names in the industry through virtual & Live Classes

    Get a Free Quote for your PKI services

    Free Downloads for PKI services