/// <inheritdoc/> public async Task <X509CRLCollection> EnumerateCRLs(X509Certificate2 issuer, bool validateUpdateTime = true) { if (issuer == null) { throw new ArgumentNullException(nameof(issuer)); } var crls = new X509CRLCollection(); foreach (X509CRL crl in await EnumerateCRLs().ConfigureAwait(false)) { if (!X509Utils.CompareDistinguishedName(crl.IssuerName, issuer.SubjectName)) { continue; } if (!crl.VerifySignature(issuer, false)) { continue; } if (!validateUpdateTime || crl.ThisUpdate <= DateTime.UtcNow && (crl.NextUpdate == DateTime.MinValue || crl.NextUpdate >= DateTime.UtcNow)) { crls.Add(crl); } } return(crls); }
/// <summary> /// Returns the CRLs for the issuer. /// </summary> public List <X509CRL> EnumerateCRLs(X509Certificate2 issuer, bool validateUpdateTime = true) { if (issuer == null) { throw new ArgumentNullException(nameof(issuer)); } List <X509CRL> crls = new List <X509CRL>(); foreach (X509CRL crl in EnumerateCRLs()) { if (!X509Utils.CompareDistinguishedName(crl.Issuer, issuer.Subject)) { continue; } if (!crl.VerifySignature(issuer, false)) { continue; } if (!validateUpdateTime || crl.ThisUpdate <= DateTime.UtcNow && (crl.NextUpdate == DateTime.MinValue || crl.NextUpdate >= DateTime.UtcNow)) { crls.Add(crl); } } return(crls); }
/// <summary> /// Finds a certificate in the specified collection. /// </summary> /// <param name="collection">The collection.</param> /// <param name="thumbprint">The thumbprint of the certificate.</param> /// <param name="subjectName">Subject name of the certificate.</param> /// <param name="needPrivateKey">if set to <c>true</c> [need private key].</param> /// <returns></returns> public static X509Certificate2 Find(X509Certificate2Collection collection, string thumbprint, string subjectName, bool needPrivateKey) { // find by thumbprint. if (!String.IsNullOrEmpty(thumbprint)) { collection = collection.Find(X509FindType.FindByThumbprint, thumbprint, false); foreach (X509Certificate2 certificate in collection) { if (!needPrivateKey || certificate.HasPrivateKey) { if (String.IsNullOrEmpty(subjectName)) { return(certificate); } List <string> subjectName2 = X509Utils.ParseDistinguishedName(subjectName); if (X509Utils.CompareDistinguishedName(certificate, subjectName2)) { return(certificate); } } } return(null); } // find by subject name. if (!String.IsNullOrEmpty(subjectName)) { List <string> subjectName2 = X509Utils.ParseDistinguishedName(subjectName); foreach (X509Certificate2 certificate in collection) { if (X509Utils.CompareDistinguishedName(certificate, subjectName2)) { if ((!needPrivateKey || certificate.HasPrivateKey) && X509Utils.GetRSAPublicKeySize(certificate) >= 0) { return(certificate); } } } collection = collection.Find(X509FindType.FindBySubjectName, subjectName, false); foreach (X509Certificate2 certificate in collection) { if ((!needPrivateKey || certificate.HasPrivateKey) && X509Utils.GetRSAPublicKeySize(certificate) >= 0) { return(certificate); } } } // certificate not found. return(null); }
/// <summary> /// Returns the issuers for the certificates. /// </summary> public async Task <bool> GetIssuers(X509Certificate2Collection certificates, List <CertificateIdentifier> issuers) { bool isTrusted = false; CertificateIdentifier issuer = null; X509Certificate2 certificate = certificates[0]; CertificateIdentifierCollection collection = new CertificateIdentifierCollection(); for (int ii = 1; ii < certificates.Count; ii++) { collection.Add(new CertificateIdentifier(certificates[ii])); } do { issuer = await GetIssuer(certificate, m_trustedCertificateList, m_trustedCertificateStore, true); if (issuer == null) { issuer = await GetIssuer(certificate, m_issuerCertificateList, m_issuerCertificateStore, true); if (issuer == null) { issuer = await GetIssuer(certificate, collection, null, true); } } else { isTrusted = true; } if (issuer != null) { issuers.Add(issuer); certificate = await issuer.Find(false); // check for root. if (X509Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer)) { break; } } }while (issuer != null); return(isTrusted); }
/// <summary> /// Adds a CRL to the store. /// </summary> public void AddCRL(X509CRL crl) { if (crl == null) { throw new ArgumentNullException(nameof(crl)); } X509Certificate2 issuer = null; X509Certificate2Collection certificates = null; certificates = Enumerate().Result; foreach (X509Certificate2 certificate in certificates) { if (X509Utils.CompareDistinguishedName(certificate.Subject, crl.Issuer)) { if (crl.VerifySignature(certificate, false)) { issuer = certificate; break; } } } if (issuer == null) { throw new ServiceResultException(StatusCodes.BadCertificateInvalid, "Could not find issuer of the CRL."); } StringBuilder builder = new StringBuilder(); builder.Append(m_directory.FullName); builder.Append(Path.DirectorySeparatorChar).Append("crl").Append(Path.DirectorySeparatorChar); builder.Append(GetFileName(issuer)); builder.Append(".crl"); FileInfo fileInfo = new FileInfo(builder.ToString()); if (!fileInfo.Directory.Exists) { fileInfo.Directory.Create(); } File.WriteAllBytes(fileInfo.FullName, crl.RawData); }
/// <summary> /// Get the certificate by issuer and serial number. /// </summary> public static async Task <X509Certificate2> FindIssuerCABySerialNumberAsync( ICertificateStore store, string issuer, string serialnumber) { X509Certificate2Collection certificates = await store.Enumerate(); foreach (var certificate in certificates) { if (X509Utils.CompareDistinguishedName(certificate.Subject, issuer) && Utils.IsEqual(certificate.SerialNumber, serialnumber)) { return(certificate); } } return(null); }
/// <summary> /// Returns true if the certificate matches the criteria. /// </summary> private bool Match( X509Certificate2 certificate, string subjectName, string serialNumber, string authorityKeyId) { // check for null. if (certificate == null) { return(false); } // check for subject name match. if (!X509Utils.CompareDistinguishedName(certificate.SubjectName.Name, subjectName)) { return(false); } // check for serial number match. if (!String.IsNullOrEmpty(serialNumber)) { if (certificate.SerialNumber != serialNumber) { return(false); } } // check for authority key id match. if (!String.IsNullOrEmpty(authorityKeyId)) { X509SubjectKeyIdentifierExtension subjectKeyId = X509Extensions.FindExtension <X509SubjectKeyIdentifierExtension>(certificate); if (subjectKeyId != null) { if (subjectKeyId.SubjectKeyIdentifier != authorityKeyId) { return(false); } } } // found match. return(true); }
/// <summary> /// Checks if issuer has revoked the certificate. /// </summary> public StatusCode IsRevoked(X509Certificate2 issuer, X509Certificate2 certificate) { if (issuer == null) { throw new ArgumentNullException(nameof(issuer)); } if (certificate == null) { throw new ArgumentNullException(nameof(certificate)); } // check for CRL. DirectoryInfo info = new DirectoryInfo(this.Directory.FullName + Path.DirectorySeparatorChar + "crl"); if (info.Exists) { bool crlExpired = true; foreach (FileInfo file in info.GetFiles("*.crl")) { X509CRL crl = null; try { crl = new X509CRL(file.FullName); } catch (Exception e) { Utils.LogError(e, "Could not parse CRL file."); continue; } if (!X509Utils.CompareDistinguishedName(crl.Issuer, issuer.Subject)) { continue; } if (!crl.VerifySignature(issuer, false)) { continue; } if (crl.IsRevoked(certificate)) { return(StatusCodes.BadCertificateRevoked); } if (crl.ThisUpdate <= DateTime.UtcNow && (crl.NextUpdate == DateTime.MinValue || crl.NextUpdate >= DateTime.UtcNow)) { crlExpired = false; } } // certificate is fine. if (!crlExpired) { return(StatusCodes.Good); } } // can't find a valid CRL. return(StatusCodes.BadCertificateRevocationUnknown); }
/// <summary> /// Loads the private key from a PFX file in the certificate store. /// </summary> public X509Certificate2 LoadPrivateKey(string thumbprint, string subjectName, string password) { if (m_certificateSubdir == null || !m_certificateSubdir.Exists) { return(null); } if (string.IsNullOrEmpty(thumbprint) && string.IsNullOrEmpty(subjectName)) { return(null); } foreach (FileInfo file in m_certificateSubdir.GetFiles("*.der")) { try { X509Certificate2 certificate = new X509Certificate2(file.FullName); if (!String.IsNullOrEmpty(thumbprint)) { if (!string.Equals(certificate.Thumbprint, thumbprint, StringComparison.CurrentCultureIgnoreCase)) { continue; } } if (!String.IsNullOrEmpty(subjectName)) { if (!X509Utils.CompareDistinguishedName(subjectName, certificate.Subject)) { if (subjectName.Contains('=')) { continue; } if (!X509Utils.ParseDistinguishedName(certificate.Subject).Any(s => s.Equals("CN=" + subjectName, StringComparison.OrdinalIgnoreCase))) { continue; } } } // skip if not RSA certificate if (X509Utils.GetRSAPublicKeySize(certificate) < 0) { continue; } string fileRoot = file.Name.Substring(0, file.Name.Length - file.Extension.Length); StringBuilder filePath = new StringBuilder() .Append(m_privateKeySubdir.FullName) .Append(Path.DirectorySeparatorChar) .Append(fileRoot); X509KeyStorageFlags[] storageFlags = { X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet }; FileInfo privateKeyFile = new FileInfo(filePath.ToString() + ".pfx"); password = password ?? String.Empty; foreach (var flag in storageFlags) { try { certificate = new X509Certificate2( privateKeyFile.FullName, password, flag); if (X509Utils.VerifyRSAKeyPair(certificate, certificate, true)) { return(certificate); } } catch (Exception) { certificate?.Dispose(); certificate = null; } } } catch (Exception e) { Utils.LogError(e, "Could not load private key for certificate " + subjectName); } } return(null); }
/// <summary> /// Check for self signed certificate if there is match of the Subject/Issuer. /// </summary> /// <param name="certificate">The certificate to test.</param> /// <returns>True if self signed.</returns> public static bool IsSelfSigned(X509Certificate2 certificate) { return(X509Utils.CompareDistinguishedName(certificate.SubjectName, certificate.IssuerName)); }
private static ServiceResult CheckChainStatus(X509ChainStatus status, CertificateIdentifier id, CertificateIdentifier issuer, bool isIssuer) { switch (status.Status) { case X509ChainStatusFlags.NotValidForUsage: { return(ServiceResult.Create( (isIssuer) ? StatusCodes.BadCertificateUseNotAllowed : StatusCodes.BadCertificateIssuerUseNotAllowed, "Certificate may not be used as an application instance certificate. {0}: {1}", status.Status, status.StatusInformation)); } case X509ChainStatusFlags.NoError: case X509ChainStatusFlags.OfflineRevocation: case X509ChainStatusFlags.InvalidBasicConstraints: { break; } case X509ChainStatusFlags.PartialChain: case X509ChainStatusFlags.UntrustedRoot: { // self signed cert signature validation // .Net Core ChainStatus returns NotSignatureValid only on Windows, // so we have to do the extra cert signature check on all platforms if (issuer == null && !isIssuer && id.Certificate != null && X509Utils.CompareDistinguishedName(id.Certificate.Subject, id.Certificate.Issuer)) { if (!IsSignatureValid(id.Certificate)) { goto case X509ChainStatusFlags.NotSignatureValid; } } // ignore this error because the root check is done // by looking the certificate up in the trusted issuer stores passed to the validator. // the ChainStatus uses the trusted issuer stores. break; } case X509ChainStatusFlags.RevocationStatusUnknown: { if (issuer != null) { if ((issuer.ValidationOptions & CertificateValidationOptions.SuppressRevocationStatusUnknown) != 0) { break; } } // check for meaning less errors for self-signed certificates. if (id.Certificate != null && X509Utils.CompareDistinguishedName(id.Certificate.Subject, id.Certificate.Subject)) { break; } return(ServiceResult.Create( (isIssuer) ? StatusCodes.BadCertificateIssuerRevocationUnknown : StatusCodes.BadCertificateRevocationUnknown, "Certificate revocation status cannot be verified. {0}: {1}", status.Status, status.StatusInformation)); } case X509ChainStatusFlags.Revoked: { return(ServiceResult.Create( (isIssuer) ? StatusCodes.BadCertificateIssuerRevoked : StatusCodes.BadCertificateRevoked, "Certificate has been revoked. {0}: {1}", status.Status, status.StatusInformation)); } case X509ChainStatusFlags.NotTimeNested: { if (id != null && ((id.ValidationOptions & CertificateValidationOptions.SuppressCertificateExpired) != 0)) { // TODO: add logging break; } return(ServiceResult.Create( StatusCodes.BadCertificateIssuerTimeInvalid, "Issuer Certificate has expired or is not yet valid. {0}: {1}", status.Status, status.StatusInformation)); } case X509ChainStatusFlags.NotTimeValid: { if (id != null && ((id.ValidationOptions & CertificateValidationOptions.SuppressCertificateExpired) != 0)) { // TODO: add logging break; } return(ServiceResult.Create( (isIssuer) ? StatusCodes.BadCertificateIssuerTimeInvalid : StatusCodes.BadCertificateTimeInvalid, "Certificate has expired or is not yet valid. {0}: {1}", status.Status, status.StatusInformation)); } case X509ChainStatusFlags.NotSignatureValid: default: { return(ServiceResult.Create( StatusCodes.BadCertificateInvalid, "Certificate validation failed. {0}: {1}", status.Status, status.StatusInformation)); } } return(null); }
/// <summary> /// Throws an exception if validation fails. /// </summary> /// <param name="certificates">The certificates to be checked.</param> /// <exception cref="ServiceResultException">If certificate[0] cannot be accepted</exception> protected virtual async Task InternalValidate(X509Certificate2Collection certificates) { X509Certificate2 certificate = certificates[0]; // check for previously validated certificate. X509Certificate2 certificate2 = null; if (m_validatedCertificates.TryGetValue(certificate.Thumbprint, out certificate2)) { if (Utils.IsEqual(certificate2.RawData, certificate.RawData)) { return; } } CertificateIdentifier trustedCertificate = await GetTrustedCertificate(certificate); // get the issuers (checks the revocation lists if using directory stores). List <CertificateIdentifier> issuers = new List <CertificateIdentifier>(); bool isIssuerTrusted = await GetIssuers(certificates, issuers); // setup policy chain X509ChainPolicy policy = new X509ChainPolicy(); policy.RevocationFlag = X509RevocationFlag.EntireChain; policy.RevocationMode = X509RevocationMode.NoCheck; policy.VerificationFlags = X509VerificationFlags.NoFlag; foreach (CertificateIdentifier issuer in issuers) { if ((issuer.ValidationOptions & CertificateValidationOptions.SuppressRevocationStatusUnknown) != 0) { policy.VerificationFlags |= X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreCtlSignerRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreEndRevocationUnknown; policy.VerificationFlags |= X509VerificationFlags.IgnoreRootRevocationUnknown; } // we did the revocation check in the GetIssuers call. No need here. policy.RevocationMode = X509RevocationMode.NoCheck; policy.ExtraStore.Add(issuer.Certificate); } // build chain. X509Chain chain = new X509Chain(); chain.ChainPolicy = policy; chain.Build(certificate); // check the chain results. CertificateIdentifier target = trustedCertificate; if (target == null) { target = new CertificateIdentifier(certificate); } ServiceResult sresult = null; for (int ii = 0; ii < chain.ChainElements.Count; ii++) { X509ChainElement element = chain.ChainElements[ii]; CertificateIdentifier issuer = null; if (ii < issuers.Count) { issuer = issuers[ii]; } // check for chain status errors. if (element.ChainElementStatus.Length > 0) { foreach (X509ChainStatus status in element.ChainElementStatus) { ServiceResult result = CheckChainStatus(status, target, issuer, (ii != 0)); if (ServiceResult.IsBad(result)) { sresult = new ServiceResult(result, sresult); } } } if (issuer != null) { target = issuer; } } // check whether the chain is complete (if there is a chain) bool issuedByCA = !X509Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer); bool chainIncomplete = false; if (issuers.Count > 0) { var rootCertificate = issuers[issuers.Count - 1].Certificate; if (!X509Utils.CompareDistinguishedName(rootCertificate.Subject, rootCertificate.Issuer)) { chainIncomplete = true; } } else { if (issuedByCA) { // no issuer found at all chainIncomplete = true; } } // check if certificate issuer is trusted. if (issuedByCA && !isIssuerTrusted && trustedCertificate == null) { var message = CertificateMessage("Certificate issuer is not trusted.", certificate); sresult = new ServiceResult(StatusCodes.BadCertificateUntrusted, null, null, message, null, sresult ); } // check if certificate is trusted. if (trustedCertificate == null && !isIssuerTrusted) { if (m_applicationCertificate == null || !Utils.IsEqual(m_applicationCertificate.RawData, certificate.RawData)) { var message = CertificateMessage("Certificate is not trusted.", certificate); sresult = new ServiceResult(StatusCodes.BadCertificateUntrusted, null, null, message, null, sresult ); } } // check if certificate is valid for use as app/sw or user cert X509KeyUsageFlags certificateKeyUsage = X509Utils.GetKeyUsage(certificate); if ((certificateKeyUsage & X509KeyUsageFlags.DataEncipherment) == 0) { sresult = new ServiceResult(StatusCodes.BadCertificateUseNotAllowed, null, null, "Usage of certificate is not allowed.", null, sresult ); } // check if minimum requirements are met if (m_rejectSHA1SignedCertificates && IsSHA1SignatureAlgorithm(certificate.SignatureAlgorithm)) { sresult = new ServiceResult(StatusCodes.BadCertificatePolicyCheckFailed, null, null, "SHA1 signed certificates are not trusted.", null, sresult ); } int keySize = X509Utils.GetRSAPublicKeySize(certificate); if (keySize < m_minimumCertificateKeySize) { sresult = new ServiceResult(StatusCodes.BadCertificatePolicyCheckFailed, null, null, "Certificate doesn't meet minimum key length requirement.", null, sresult ); } if (issuedByCA && chainIncomplete) { var message = CertificateMessage("Certificate chain validation incomplete.", certificate); sresult = new ServiceResult(StatusCodes.BadCertificateChainIncomplete, null, null, message, null, sresult); } if (sresult != null) { throw new ServiceResultException(sresult); } }
/// <summary> /// Returns the certificate information for a trusted issuer certificate. /// </summary> private async Task <CertificateIdentifier> GetIssuer( X509Certificate2 certificate, CertificateIdentifierCollection explicitList, CertificateStoreIdentifier certificateStore, bool checkRecovationStatus) { // check if self-signed. if (X509Utils.CompareDistinguishedName(certificate.Subject, certificate.Issuer)) { return(null); } string subjectName = certificate.IssuerName.Name; string keyId = null; string serialNumber = null; // find the authority key identifier. X509AuthorityKeyIdentifierExtension authority = X509Extensions.FindExtension <X509AuthorityKeyIdentifierExtension>(certificate); if (authority != null) { keyId = authority.KeyIdentifier; serialNumber = authority.SerialNumber; } // check in explicit list. if (explicitList != null) { for (int ii = 0; ii < explicitList.Count; ii++) { X509Certificate2 issuer = await explicitList[ii].Find(false); if (issuer != null) { if (!X509Utils.IsIssuerAllowed(issuer)) { continue; } if (Match(issuer, subjectName, serialNumber, keyId)) { // can't check revocation. return(new CertificateIdentifier(issuer, CertificateValidationOptions.SuppressRevocationStatusUnknown)); } } } } // check in certificate store. if (certificateStore != null) { ICertificateStore store = certificateStore.OpenStore(); try { X509Certificate2Collection certificates = await store.Enumerate(); for (int ii = 0; ii < certificates.Count; ii++) { X509Certificate2 issuer = certificates[ii]; if (issuer != null) { if (!X509Utils.IsIssuerAllowed(issuer)) { continue; } if (Match(issuer, subjectName, serialNumber, keyId)) { CertificateValidationOptions options = certificateStore.ValidationOptions; // already checked revocation for file based stores. windows based stores always suppress. options |= CertificateValidationOptions.SuppressRevocationStatusUnknown; if (checkRecovationStatus) { StatusCode status = store.IsRevoked(issuer, certificate); if (StatusCode.IsBad(status) && status != StatusCodes.BadNotSupported) { if (status == StatusCodes.BadCertificateRevocationUnknown) { if (X509Utils.IsCertificateAuthority(certificate)) { status.Code = StatusCodes.BadCertificateIssuerRevocationUnknown; } if (m_rejectUnknownRevocationStatus) { throw new ServiceResultException(status); } } else { throw new ServiceResultException(status); } } } return(new CertificateIdentifier(certificates[ii], options)); } } } } finally { store.Close(); } } // not a trusted issuer. return(null); }
/// <summary> /// Loads the private key from a PFX/PEM file in the certificate store. /// </summary> public async Task <X509Certificate2> LoadPrivateKey(string thumbprint, string subjectName, string password) { if (NoPrivateKeys || m_certificateSubdir == null || !m_certificateSubdir.Exists) { return(null); } if (string.IsNullOrEmpty(thumbprint) && string.IsNullOrEmpty(subjectName)) { return(null); } // on some platforms, specifically in virtualized environments, // reloading a previously created and saved private key may fail on the first attempt. const int retryDelay = 100; int retryCounter = 3; while (retryCounter-- > 0) { bool certificateFound = false; Exception importException = null; foreach (FileInfo file in m_certificateSubdir.GetFiles("*.der")) { try { X509Certificate2 certificate = new X509Certificate2(file.FullName); if (!String.IsNullOrEmpty(thumbprint)) { if (!string.Equals(certificate.Thumbprint, thumbprint, StringComparison.OrdinalIgnoreCase)) { continue; } } if (!String.IsNullOrEmpty(subjectName)) { if (!X509Utils.CompareDistinguishedName(subjectName, certificate.Subject)) { if (subjectName.Contains('=')) { continue; } if (!X509Utils.ParseDistinguishedName(certificate.Subject).Any(s => s.Equals("CN=" + subjectName, StringComparison.Ordinal))) { continue; } } } // skip if not RSA certificate if (X509Utils.GetRSAPublicKeySize(certificate) < 0) { continue; } string fileRoot = file.Name.Substring(0, file.Name.Length - file.Extension.Length); StringBuilder filePath = new StringBuilder() .Append(m_privateKeySubdir.FullName) .Append(Path.DirectorySeparatorChar) .Append(fileRoot); X509KeyStorageFlags[] storageFlags = { X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.UserKeySet }; FileInfo privateKeyFilePfx = new FileInfo(filePath + ".pfx"); FileInfo privateKeyFilePem = new FileInfo(filePath + ".pem"); password = password ?? String.Empty; if (privateKeyFilePfx.Exists) { certificateFound = true; foreach (var flag in storageFlags) { try { certificate = new X509Certificate2( privateKeyFilePfx.FullName, password, flag); if (X509Utils.VerifyRSAKeyPair(certificate, certificate, true)) { Utils.LogInfo(Utils.TraceMasks.Security, "Imported the PFX private key for [{0}].", certificate.Thumbprint); return(certificate); } } catch (Exception ex) { importException = ex; certificate?.Dispose(); } } } // if PFX file doesn't exist, check for PEM file. else if (privateKeyFilePem.Exists) { certificateFound = true; try { byte[] pemDataBlob = File.ReadAllBytes(privateKeyFilePem.FullName); certificate = CertificateFactory.CreateCertificateWithPEMPrivateKey(certificate, pemDataBlob, password); if (X509Utils.VerifyRSAKeyPair(certificate, certificate, true)) { Utils.LogInfo(Utils.TraceMasks.Security, "Imported the PEM private key for [{0}].", certificate.Thumbprint); return(certificate); } } catch (Exception exception) { certificate?.Dispose(); importException = exception; } } else { Utils.LogError(Utils.TraceMasks.Security, "A private key for the certificate with thumbprint [{0}] does not exist.", certificate.Thumbprint); continue; } } catch (Exception e) { Utils.LogError(e, "Could not load private key for certificate {0}", subjectName); } } // found a certificate, but some error occurred if (certificateFound) { Utils.LogError(Utils.TraceMasks.Security, "The private key for the certificate with subject {0} failed to import.", subjectName); if (importException != null) { Utils.LogError(importException, "Certificate import failed."); } } else { if (!String.IsNullOrEmpty(thumbprint)) { Utils.LogError(Utils.TraceMasks.Security, "A Private key for the certificate with thumbpint {0} was not found.", thumbprint); } // if no private key was found, no need to retry break; } // retry within a few ms if (retryCounter > 0) { Utils.LogInfo(Utils.TraceMasks.Security, "Retry to import private key after {0} ms.", retryDelay); await Task.Delay(retryDelay).ConfigureAwait(false); } } return(null); }