Sending a HTTPS request with a x509 client certificate fails on the next day

Question

I'm currently working on connecting my C# application to a customers enterprise service bus. The connection has to be established over HTTPS using a X509 client certificate trusted by the customer. The customer provided me a certificate as a .p12-file containing a private key.

Using a powershell script for testing, I am able to make a successful connection to the ESB. Strangely waiting one day after importing the certificate to the windows certification store the connection fails:

The request was aborted: Could not create SSL/TLS secure channel.System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()

If I delete the certificate from the store, then reimport it again, the connection will work for another day. (I couldn't prove any relation to the server session, yet.)

Printing out the certificates properties I noticed, the "Private Key" property has changed:

Before

EnhancedKeyUsageList : {Client Authentication (1.3.6.1.5.5.7.3.2), Secure Email (1.3.6.1.5.5.7.3.4), IP security user (1.3.6.1.5.5.7.3.7), Encrypting File System (1.3.6.1.4.1.311.10.3.4)...}
SendAsTrustedIssuer  : False
Archived             : False
Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter             : 2/1/2026 1:00:00 AM
NotBefore            : 2/1/2022 2:25:59 PM
HasPrivateKey        : True
PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
SubjectName          : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm   : System.Security.Cryptography.Oid
Version              : 3

After

EnhancedKeyUsageList : {Client Authentication (1.3.6.1.5.5.7.3.2), Secure Email (1.3.6.1.5.5.7.3.4), IP security user (1.3.6.1.5.5.7.3.7), Encrypting File System (1.3.6.1.4.1.311.10.3.4)...}
SendAsTrustedIssuer  : False
Archived             : False
Extensions           : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
IssuerName           : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter             : 2/1/2026 1:00:00 AM
NotBefore            : 2/1/2022 2:25:59 PM
HasPrivateKey        : True
PrivateKey           :
PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
SignatureAlgorithm   : System.Security.Cryptography.Oid
Version              : 3

Any ideas how to import the certificate to use the private key persistently?

Steps for testing

1. Import the .ps12-file using the windows wizard and the password to LocalMachine/My

2. Load the certificate

$store = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::My, [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
$store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly);
$cert = $store.Certificates.Find([System.Security.Cryptography.X509Certificates.X509FindType]::FindBySubjectDistinguishedName, $certName, $true)
$store.Close()

3. Invoke the request to HTTPS endpoint

$response = Invoke-WebRequest -Certificate $cert[0] -Uri $uri -Body
$body -ContentType 'text/xml;charset="utf-8"' -Method "POST"

4. On the next day invoking the request again fails

Answer 1

So it appears you just have to run your script / app accessing the certificate in elevated mode. With powershell it wasn'nt enough to be logged on as an local administrator.

What confused me was, that you don't need run it elevated, as long as you imported the certificate in the same login session.