Because I hit that error today for the second time (the first time appeared some weeks ago), I thought I just should write it down to not forget it again:

If you get the error messages "Bad Key" or "Invalid handle" in relation to any kind of "System.Security.Cryptography.CryptographicException", you should at first check the write/read-permission of the private-key-file of the certificate - and in the second step, if it contains all required values for our intention (Because you can't do everything with every certificate).

 

My problem: I tried to use an X.509 certificate to sign a Saml-token. Foolishly there were errors on several places, which a catch-block (in combination with a not working logger) hid, so that I needed a lot of time to search for the reason.

Both errors appeared while serializing the token.

 

Two problems and their solution:

Problem 1 - "Invalid handle": This error appeared, if the script couldn't access the private-key file of the certificate. The user "NETWORK SERVICE" needs at least read-permission for this file.

How can I find the private-key file? There's a nice tool collection, created by Microsoft, called the WSE "Web Service Enhancements"... the version, which is, I guess, the current one, is 3.0 - even if most of the results show 2.0, if you search for them with Google.

This collection contains a tool named "WSE X.509 Certificate Tool", with which you can simply select the right values in the two dropdown lists and open a filtered list of all found certificates by hitting the button. As soon as you open a certificate, you can see all information about it. This is the view of one of my test-certificates, which I created myself.

image

At the bottom of the window, you can find a button labeled "View Private Key File Properties". If you click that button, it displays the normal Windows-file dialog for the specified private-key file. In the tab "Security" you can now set the permissions for that file (in our case "NETWORK SERVICE"). As soon as the script is able to read the file, the "invalid handle" message disappears. 

 

Problem 2 - "Bad key": Who is able to read, has an advantage (german saying):

image

As soon as the one input field (Image 1) is replaced with three single input fields (Image 2), the description text on the right changes. It sais: "If the extension is not present, three values will be shown[...]". If I would have read that the first time I tried it, I would have saved much time, because the certificate I bough simply hasn't had the so callend "Subject Key Identifier", which is required for signing the token. As soon as the certificate contains the SKI, you won't get the error message anymore.

 

You can find the WSE tools on the Microsoft-download-page.

 

One last hint I got for you: If you want to check your software against certificates, you can create your own certificates, containing all combinations of rights. There's a nice tool from EldoS which is called "Crypto4™ PKI". It's commercial, but a 30-day trial version can also create nice certificates (for a specific time) ;-).