static void SetCngPrivateKeySecurity(SafeCertContextHandle certificate, ICollection <PrivateKeyAccessRule> accessRules)
        {
            using (var key = CertificatePal.GetCngPrivateKey(certificate))
            {
                var security = GetCngPrivateKeySecurity(certificate);

                foreach (var cryptoKeyAccessRule in accessRules.Select(r => r.ToCryptoKeyAccessRule()))
                {
                    security.AddAccessRule(cryptoKeyAccessRule);
                }

                var securityDescriptorBytes = security.GetSecurityDescriptorBinaryForm();
                var gcHandle = GCHandle.Alloc(securityDescriptorBytes, GCHandleType.Pinned);

                var errorCode = NCryptSetProperty(key,
                                                  NCryptProperties.SecurityDescriptor,
                                                  gcHandle.AddrOfPinnedObject(), securityDescriptorBytes.Length,
                                                  (int)NCryptFlags.Silent |
                                                  (int)SecurityDesciptorParts.DACL_SECURITY_INFORMATION);

                gcHandle.Free();

                if (errorCode != 0)
                {
                    throw new CryptographicException(errorCode);
                }
            }
        }
 static CryptoKeySecurity GetCngPrivateKeySecurity(SafeCertContextHandle certificate)
 {
     using (var key = CertificatePal.GetCngPrivateKey(certificate))
     {
         var security = new CryptoKeySecurity();
         security.SetSecurityDescriptorBinaryForm(CertificatePal.GetCngPrivateKeySecurity(key),
                                                  AccessControlSections.Access);
         return(security);
     }
 }
        /// <summary>
        /// Unlike X509Store.Remove() this function also cleans up private-keys
        /// </summary>
        public static void RemoveCertificateFromStore(string thumbprint, StoreLocation storeLocation, string storeName)
        {
            var store = new X509Store(storeName, storeLocation);

            store.Open(OpenFlags.ReadWrite);

            var found = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false);

            if (found.Count == 0)
            {
                return;
            }

            var certificate       = found[0];
            var certificateHandle = new SafeCertContextHandle(found[0].Handle, false);

            // If the certificate has a private-key, remove it
            if (certificateHandle.HasPrivateKey())
            {
                var keyProvInfo = certificateHandle.GetCertificateProperty <KeyProviderInfo>(CertificateProperty.KeyProviderInfo);

                // If it is a CNG key
                if (keyProvInfo.dwProvType == 0)
                {
                    try
                    {
                        var key = CertificatePal.GetCngPrivateKey(certificateHandle);
                        CertificatePal.DeleteCngKey(key);
                    }
                    catch (Exception ex)
                    {
                        throw new Exception("Exception while deleting CNG private key", ex);
                    }
                }
                else // CAPI key
                {
                    try
                    {
                        IntPtr providerHandle;
                        var    acquireContextFlags = CryptAcquireContextFlags.Delete | CryptAcquireContextFlags.Silent;
                        if (storeLocation == StoreLocation.LocalMachine)
                        {
                            acquireContextFlags = acquireContextFlags | CryptAcquireContextFlags.MachineKeySet;
                        }

                        var success = Native.CryptAcquireContext(out providerHandle, keyProvInfo.pwszContainerName,
                                                                 keyProvInfo.pwszProvName,
                                                                 keyProvInfo.dwProvType, acquireContextFlags);

                        if (!success)
                        {
                            throw new CryptographicException(Marshal.GetLastWin32Error());
                        }
                    }
                    catch (Exception ex)
                    {
                        // Swallow keyset does not exist
                        if (!(ex is CryptographicException && ex.Message.Contains("Keyset does not exist")))
                        {
                            throw new Exception("Exception while deleting CAPI private key", ex);
                        }
                    }
                }
            }

            store.Remove(certificate);
            store.Close();
        }