iisrsax509certificate2

Clean my MachineKeys folder by removing multiple RSA files without touching IIS ones


I'm currently running IIS on my server using an app instantiating certificates.

By doing this code, for instance :

X509Certificate2 myX509Certificate = new 
X509Certificate2(Convert.FromBase64String(byteArrayRawCertificate), passwordCertificate, 
X509KeyStorageFlags.Exportable | 
X509KeyStorageFlags.MachineKeySet | 
X509KeyStorageFlags.PersistKeySet);

The code works fine. But I encounter a problem on my computer, on the following folder :

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

3KB RSA files keep on being added on that folder. For now, I have more than a million files like those ones :

enter image description here

I would like to delete those files, but :

Thanks in advance for your help.


Solution

  • There is some work for you. At first, you *MUST NOT* instantiate X509Certificate2 object from PFX file each time you need to access it. It is very BAD idea. This causes a new key file generated in the MachineKeys folder. Instead, you have to install the certificate to local certificate store once and then reference installed certificate.

    Use X509Store.Add() method to install certficate to local store:

    X509Certificate2 myX509Certificate = new 
    X509Certificate2(Convert.FromBase64String(byteArrayRawCertificate), passwordCertificate, 
    X509KeyStorageFlags.MachineKeySet);
    X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadWrite);
    store.Add(myX509Certificate);
    store.Close()
    

    Next time you need to access your certificate and private key, use same X509Store class as follows:

    X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly);
    X509Certificate2 myCert = store.Certificates.Find(blablabla);
    store.Close()
    

    Instead of "blablabla", specify search filter: X509Certificate2Collection.Find(). You can use various filter options to locate your certificate. Most common used is by thumbprint.

    Regarding large folder. If you are sure that there are no other certificates in the LocalMachine\My store, you can simply purge all contents and then install your certificate by using the code above.