Issue with new X509CertificateLoader

[shaneocms]

Description

Hi there,

Our production environment runs two IIS servers behind a load balancer. To allow cookies to be decrypted by both servers, we do the following in our Program.cs in current .NET 8 projects to load a .pfx certificate file from disk.

static void SetupDataProtection(WebApplicationBuilder builder)
{
    string filename = builder.Configuration["AppSettings:DataProtection:CertificateFilename"]!;
    string password = builder.Configuration["AppSettings:DataProtection:CertificatePassword"]!;
    string path = Path.Combine(Path.GetDirectoryName(AppDomain.CurrentDomain.BaseDirectory)!, "Certificates", filename);

    X509Certificate2 certificate;

    if (builder.Environment.IsProduction())
    {
        certificate = new X509Certificate2(path, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
    }
    else
    {
        certificate = new X509Certificate2(path, password, X509KeyStorageFlags.EphemeralKeySet);
    }

    builder.Services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo(Path.Combine(Path.GetDirectoryName(AppDomain.CurrentDomain.BaseDirectory)!, "KeyRing")))
        .ProtectKeysWithCertificate(certificate);
}

This has worked fine until now, but when trying out the .NET 9 preview, we got the warning about the X509Certificate2 constructor being obsolete during compilation.

So I've adjusted as follows, replacing the new X509Certificate2() with X509CertificateLoader.LoadPkcs12FromFile and keeping the same storage flags.

static void SetupDataProtection(WebApplicationBuilder builder)
{
    string filename = builder.Configuration["AppSettings:DataProtection:CertificateFilename"]!;
    string password = builder.Configuration["AppSettings:DataProtection:CertificatePassword"]!;
    string path = Path.Combine(Path.GetDirectoryName(AppDomain.CurrentDomain.BaseDirectory), "Certificates", filename);

    X509Certificate2 certificate;

    if (builder.Environment.IsProduction())
    {
        certificate = X509CertificateLoader.LoadPkcs12FromFile(path, password,
            X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);
    }
    else
    {
        certificate = X509CertificateLoader.LoadPkcs12FromFile(path, password, X509KeyStorageFlags.EphemeralKeySet);
    }

    builder.Services.AddDataProtection()
        .PersistKeysToFileSystem(new DirectoryInfo(Path.Combine(Path.GetDirectoryName(AppDomain.CurrentDomain.BaseDirectory)!, "KeyRing")))
        .ProtectKeysWithCertificate(certificate);
}

The application runs fine locally on my machine, but in production behind the load balancer, it's not working correctly. When you log into the application, if your request goes to server 1, then any further requests that go to server 1 work fine, but any requests sent to server 2 fail. This issue is the behaviour I would expect by default if doing nothing of the above.

Changing back to the obsolete constructor (even while the project is still using .NET 9) resolves the issue.

Is there something I'm doing wrong with the new one or is it a bug in the new one, such as with how it's handling the flags?

Reproduction Steps

Code sample provided above.

Expected behavior

Requests to both servers behind the load balancer should continue to work as it did before.

Actual behavior

Cookies cannot be decrypted if created by the other server.

Regression?

Still works fine with the obsolete constructor even with the project using .NET 9.

Known Workarounds

No response

Configuration

No response

Other information

No response

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[bartonjs]

What version of .NET 9 are you using? There was a problem where the loader meant to load the private keys into the newest Windows cryptographic engine, but accidentally caused them to load into the oldest. That got fixed for RC2.

A workaround in the meantime would be to specify a loader limits like

Pkcs12LoaderLimits limits = new Pkcs12LoaderLimits
{
  PreserveStorageProvider = true,
};

...

certificate = X509CertificateLoader.LoadPkcs12FromFile(
    path,
    password,
    X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable,
    limits);

If that fixes your problem then you shouldn't see it anymore in RC2 or the full release version. You (probably) won't want to do it long-term, though, since the main reason the storage provider isn't preserved is so that legacy CAPI keys will instead get upgraded to CNG keys.

[shaneocms]

Sorry, I should've been clearer and specified that I am actually using RC2.

Since my previous post, I discovered that it seems even the old code stopped working in .NET 9 RC2. I had refreshed 6-8 or so times when I tested before making the post and thought it was working (usually, every even request would work and odd request would not), but I guess I got lucky and all my tests went to the same server. I ended up having to put the project back on .NET 8 to get it working correctly.

I will try your suggestion and let you know how it goes. If it isn't working, I'll put together a little project to help reproduce the issue.

[shaneocms]

LoadBalancerDemo - .NET 9.zip
LoadBalancerDemo - .NET 8.zip

Here's a bit more info. I have created a sample project (attached). The difference between the .NET 9 and .NET 8 attachments are:

1. The .NET version in the csproj file, one using net8.0 and one using net9.0
2. In StartupExtensions.cs, .NET 9 uses X509CertificateLoader.LoadPkcs12FromFile, while the .NET 8 project uses new X509Certificate2().

Version of .NET 9 I have installed based on MSBuild file path seems to be: 9.0.100-rc.2.24474.11

The project uses minimal APIs and contains two endpoints:

• /antiforgery - you would call this endpoint first which returns an XSRF-TOKEN cookie
• /weatherForecast - the default new project endpoint but I added an if statement first so it requires antiforgery token passed in X-XSRF-TOKEN header (use the value from the cookie returned from the above endpoint)

The project is using Serilog.AspNetCore nuget package to help with logging.

The two endpoints:

app.MapGet("/weatherforecast", async (HttpContext httpContext, [FromServices] IAntiforgery antiforgery) =>
{
    // Validate anti-forgery token
    try
    {
        await antiforgery.ValidateRequestAsync(httpContext);
    }
    catch (AntiforgeryValidationException)
    {
        return Results.Forbid();
    }

    WeatherForecast[] forecast = Enumerable.Range(1, 5).Select(index =>
            new WeatherForecast
            (
                DateOnly.FromDateTime(DateTime.Now.AddDays(index)),
                Random.Shared.Next(-20, 55),
                summaries[Random.Shared.Next(summaries.Length)]
            ))
        .ToArray();

    return TypedResults.Ok(forecast);
});

app.MapGet("/antiforgery", (HttpContext httpContext, [FromServices] IAntiforgery antiforgery) =>
{
    AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(httpContext);

    httpContext.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken!,
        new CookieOptions { HttpOnly = false });

    return Results.NoContent();
});

.NET 9-rc2

First request, sending request to the /weatherForecast endpoint without the antiforgery token. So the expectation here is to get a 403 Forbidden response.
A file key-65e39225-1ee7-4397-b210-caa1fd4537f5.xml gets created in the KeyRing folder as per below logs.

[16:54:16 INF ] Creating key {65e39225-1ee7-4397-b210-caa1fd4537f5} with creation date 2024-10-19 05:54:16Z, activation date 2024-10-19 05:54:16Z, and expiration date 2025-01-17 05:54:16Z.
[16:54:16 INF ] Writing data to file '\\mydomain-dc01\IISSites\LoadBalancerDemo\KeyRing\key-65e39225-1ee7-4397-b210-caa1fd4537f5.xml'.
[16:54:16 INF ] Application started. Press Ctrl+C to shut down.
[16:54:16 INF ] Hosting environment: Production
[16:54:16 INF ] Content root path: \\mydomain-dc01\IISSites\LoadBalancerDemo
[16:54:17 INF 800026a9-0001-a700-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - null null
[16:54:17 INF 800026a9-0001-a700-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /weatherforecast'
[16:54:17 INF 800026a9-0001-a700-b63f-84710c7967bb] Executing ChallengeResult with authentication schemes ([]).
[16:54:17 INF 800026a9-0001-a700-b63f-84710c7967bb] AuthenticationScheme: Cookies was forbidden.
[16:54:17 INF 800026a9-0001-a700-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /weatherforecast'
[16:54:17 INF 800026a9-0001-a700-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - 403 null null 830.2373ms

Second request, sending request to the /antiforgery token endpoint. Get below error (looks like same error repeated multiple times)

[16:56:11 ERR ] An exception occurred while processing the key element '<key id="65e39225-1ee7-4397-b210-caa1fd4537f5" version="1" />'.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
[16:56:11 ERR ] An exception occurred while processing the key element '<key id="65e39225-1ee7-4397-b210-caa1fd4537f5" version="1" />'.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
[16:56:12 ERR ] An exception occurred while processing the key element '<key id="65e39225-1ee7-4397-b210-caa1fd4537f5" version="1" />'.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
[16:56:12 ERR ] An exception occurred while processing the key element '<key id="65e39225-1ee7-4397-b210-caa1fd4537f5" version="1" />'.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
[16:56:12 ERR ] An exception occurred while processing the key element '<key id="65e39225-1ee7-4397-b210-caa1fd4537f5" version="1" />'.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
[16:56:12 ERR ] An exception occurred while processing the key element '<key id="65e39225-1ee7-4397-b210-caa1fd4537f5" version="1" />'.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
[16:56:12 ERR ] An exception occurred while processing the key element '<key id="65e39225-1ee7-4397-b210-caa1fd4537f5" version="1" />'.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
[16:56:13 ERR ] An exception occurred while processing the key element '<key id="65e39225-1ee7-4397-b210-caa1fd4537f5" version="1" />'.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
[16:56:13 ERR ] An exception occurred while processing the key element '<key id="65e39225-1ee7-4397-b210-caa1fd4537f5" version="1" />'.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
[16:56:13 ERR ] An exception occurred while processing the key element '<key id="65e39225-1ee7-4397-b210-caa1fd4537f5" version="1" />'.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
[16:56:13 ERR ] An exception occurred while processing the key element '<key id="65e39225-1ee7-4397-b210-caa1fd4537f5" version="1" />'.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
[16:56:13 WRN ] Key {65e39225-1ee7-4397-b210-caa1fd4537f5} is ineligible to be the default key because its CreateEncryptor method failed after the maximum number of retries.
System.AggregateException: One or more errors occurred. (The system cannot find the file specified.) (The system cannot find the file specified.) (The system cannot find the file specified.) (The system cannot find the file specified.) (The system cannot find the file specified.) (The system cannot find the file specified.) (The system cannot find the file specified.) (The system cannot find the file specified.) (The system cannot find the file specified.) (The system cannot find the file specified.) (The system cannot find the file specified.)
 ---> System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)
   --- End of inner exception stack trace ---
 ---> (Inner Exception #1) System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)<---

 ---> (Inner Exception #2) System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)<---

 ---> (Inner Exception #3) System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)<---

 ---> (Inner Exception #4) System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)<---

 ---> (Inner Exception #5) System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)<---

 ---> (Inner Exception #6) System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)<---

 ---> (Inner Exception #7) System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)<---

 ---> (Inner Exception #8) System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)<---

 ---> (Inner Exception #9) System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)<---

 ---> (Inner Exception #10) System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at System.Security.Cryptography.CngKey.Open(String keyName, CngProvider provider, CngKeyOpenOptions openOptions)
   at System.Security.Cryptography.X509Certificates.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at System.Security.Cryptography.X509Certificates.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)<---

[16:56:13 WRN ] Key {65e39225-1ee7-4397-b210-caa1fd4537f5} is ineligible to be the default key because its CreateEncryptor method failed after the maximum number of retries.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key, Int32& retriesRemaining)
[16:56:13 INF ] Creating key {08fc478b-9939-443a-8658-fe782a263e52} with creation date 2024-10-19 05:56:10Z, activation date 2024-10-19 05:56:10Z, and expiration date 2025-01-17 05:56:10Z.
[16:56:13 INF ] Writing data to file '\\mydomain-dc01\IISSites\LoadBalancerDemo\KeyRing\key-08fc478b-9939-443a-8658-fe782a263e52.xml'.
[16:56:13 INF ] Application started. Press Ctrl+C to shut down.
[16:56:13 INF ] Hosting environment: Production
[16:56:13 INF ] Content root path: \\mydomain-dc01\IISSites\LoadBalancerDemo
[16:56:14 INF 80000f80-0002-1e00-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/antiforgery - null null
[16:56:14 INF 80000f80-0002-1e00-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /antiforgery'
[16:56:14 INF 80000f80-0002-1e00-b63f-84710c7967bb] Setting HTTP status code 204.
[16:56:14 INF 80000f80-0002-1e00-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /antiforgery'
[16:56:14 INF 80000f80-0002-1e00-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/antiforgery - 204 null null 359.2549ms

As per above logs, a key-08fc478b-9939-443a-8658-fe782a263e52.xml file gets created in the KeyRing folder now. So there are now 2 files in the KeyRing folder.

(Of interest: you'll see later that the .NET 8 project does not create an additional file here like it did in .NET 9, and also did not get the cannot find file error)

Despite this error, the server response was 204 No Content which is correct and contains below cookie in response headers

.AspNetCore.Antiforgery.ltTTNb29wlo=CfDJ8ItH_Ag5mTpEhlj-eComPlI90FgXYecRlRBJIE3sE3CNQf96Vvi8afHlEBr-d-Ee7eSQrH5MZhnr7B0eM0d5HPUXotyvIgCJM6va6zNNNQWAijuFlVwgSnOClsizoC40p0cLDefbTgCs04uLJWakP0M; path=/; samesite=strict; httponly
XSRF-TOKEN=CfDJ8ItH_Ag5mTpEhlj-eComPlL5wSwwwJvulBdCNMmp5wM4-gfOD_dDCBhd2oDc5YkjIENAp1w-aK1rp6HGWDwYi2xkCr7xhefFMt20GpCJZKZePWApU8k59RqUJlgSi9ceswbFqakBho6vFq0wRLJEyfs; path=/

Now send request to /weatherForecast endpoint this time with X-XSRF-TOKEN header with the value taken from above CfDJ8ItH_Ag5mTpEhlj-eComPlL5wSwwwJvulBdCNMmp5wM4-gfOD_dDCBhd2oDc5YkjIENAp1w-aK1rp6HGWDwYi2xkCr7xhefFMt20GpCJZKZePWApU8k59RqUJlgSi9ceswbFqakBho6vFq0wRLJEyfs

Server returns the expected response of 200 OK and contains the array of random weather stuff.

[
  {
    "date": "2024-10-20",
    "temperatureC": 48,
    "summary": "Warm",
    "temperatureF": 118
  },
  {
    "date": "2024-10-21",
    "temperatureC": 19,
    "summary": "Sweltering",
    "temperatureF": 66
  },
  {
    "date": "2024-10-22",
    "temperatureC": 38,
    "summary": "Freezing",
    "temperatureF": 100
  },
  {
    "date": "2024-10-23",
    "temperatureC": 15,
    "summary": "Warm",
    "temperatureF": 58
  },
  {
    "date": "2024-10-24",
    "temperatureC": 52,
    "summary": "Sweltering",
    "temperatureF": 125
  }
]

Server logs:

[17:00:44 INF 8000fd48-0003-d700-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - null null
[17:00:44 INF 8000fd48-0003-d700-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /weatherforecast'
[17:00:44 INF 8000fd48-0003-d700-b63f-84710c7967bb] Setting HTTP status code 200.
[17:00:44 INF 8000fd48-0003-d700-b63f-84710c7967bb] Writing value of type 'WeatherForecast[]' as Json.
[17:00:44 INF 8000fd48-0003-d700-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /weatherforecast'
[17:00:44 INF 8000fd48-0003-d700-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - 200 null application/json; charset=utf-8 230.6227ms

Send same request again, this time get 403 Forbidden response. Below are server logs.

[17:02:44 INF 80194991-0000-e100-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - null null
[17:02:44 INF 80194991-0000-e100-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /weatherforecast'
[17:02:44 INF 80194991-0000-e100-b63f-84710c7967bb] Executing ChallengeResult with authentication schemes ([]).
[17:02:44 INF 80194991-0000-e100-b63f-84710c7967bb] AuthenticationScheme: Cookies was forbidden.
[17:02:44 INF 80194991-0000-e100-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /weatherforecast'
[17:02:44 INF 80194991-0000-e100-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - 403 null null 20.5395ms

Send same request a 3rd time, this time get 200 OK with some weather data again.

[17:03:47 INF 80002089-0800-fc00-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - null null
[17:03:47 INF 80002089-0800-fc00-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /weatherforecast'
[17:03:47 INF 80002089-0800-fc00-b63f-84710c7967bb] Setting HTTP status code 200.
[17:03:47 INF 80002089-0800-fc00-b63f-84710c7967bb] Writing value of type 'WeatherForecast[]' as Json.
[17:03:47 INF 80002089-0800-fc00-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /weatherforecast'
[17:03:47 INF 80002089-0800-fc00-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - 200 null application/json; charset=utf-8 14.3733ms

So the exception occurs on the /antiforgery endpoint. The errror says The system cannot find the file specified. for key 65e39225-1ee7-4397-b210-caa1fd4537f5 but there is definitely an xml file in the KeyRing folder with this name, so I assume it's trying to look for this somewhere else? Also again note that it created 2 separate files.

Pkcs12LoaderLimits workaround

I tried the same again with .NET 9 and the suggested Pkcs12LoaderLimits workaround, but the behaviour is still exactly as above.

.NET 8

Now, here's the logs for the same but with the application running as .NET 8.

Just to make sure there was nothing crossing over between requests (like cookies being persisted), the requests I sent for .NET 9 above were using Postman, while the requests below for .NET 8 are sent using Bruno (an alternative application similar to Postman).

First request, /weatherForecast without xsrf token. Response is 403 Forbidden as expected.
File key-412a1d58-dd08-4d9c-a09d-7ab39dcdbc86.xml gets created in KeyRing folder.

[17:17:01 INF ] Creating key {412a1d58-dd08-4d9c-a09d-7ab39dcdbc86} with creation date 2024-10-19 06:17:01Z, activation date 2024-10-19 06:17:01Z, and expiration date 2025-01-17 06:17:01Z.
[17:17:01 INF ] Writing data to file '\\mydomain-dc01\IISSites\LoadBalancerDemo\KeyRing\key-412a1d58-dd08-4d9c-a09d-7ab39dcdbc86.xml'.
[17:17:02 INF ] Application started. Press Ctrl+C to shut down.
[17:17:02 INF ] Hosting environment: Production
[17:17:02 INF ] Content root path: \\mydomain-dc01\IISSites\LoadBalancerDemo
[17:17:02 INF 8000e385-0003-fb00-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - null null
[17:17:03 INF 8000e385-0003-fb00-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /weatherforecast'
[17:17:03 INF 8000e385-0003-fb00-b63f-84710c7967bb] Executing ChallengeResult with authentication schemes ([]).
[17:17:03 INF 8000e385-0003-fb00-b63f-84710c7967bb] AuthenticationScheme: Cookies was forbidden.
[17:17:03 INF 8000e385-0003-fb00-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /weatherforecast'
[17:17:03 INF 8000e385-0003-fb00-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - 403 null null 1010.0297ms

Next request to /antiforgery, got 204 No Content with cookies in response as expected.

.AspNetCore.Antiforgery.ltTTNb29wlo=CfDJ8FgdKkEI3ZxNoJ16s53NvIY04ImWYP7uLfTViikz8q52hTrq2IaVUwLSii9tT_nZ2aMmHKFZcRVuSQttggPBBHnCl04yUt8pfBLaeAglIaNaD3A26HS3sTMI_9UT5sxbvE6SkSKf0nzJRSGKEML7DxQ; path=/; samesite=strict; httponly
XSRF-TOKEN=CfDJ8FgdKkEI3ZxNoJ16s53NvIaaQKCExBY2ei-8NqdebEYy_nGKlVJTtirKRIXNhTRc6wh-rmBLn_8eH7LS6ES6CpNszQppD4jRLxDrUYak1pGlF0aHnFHJ3M9fJBp0fVazHvvFjVKVeLiXSylRS52B2jQ; path=/

Logs - note no "cannot find the file specified" error appears. Also of note, no extra .xml key file was created.

[17:18:16 INF 800199b1-0003-f300-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/antiforgery - null null
[17:18:16 INF 800199b1-0003-f300-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /antiforgery'
[17:18:16 ERR 800199b1-0003-f300-b63f-84710c7967bb] An exception was thrown while deserializing the token.
Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted.
 ---> System.Security.Cryptography.CryptographicException: The key {08fc478b-9939-443a-8658-fe782a263e52} was not found in the key ring. For more information go to https://aka.ms/aspnet/dataprotectionwarning
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)
[17:18:16 INF 800199b1-0003-f300-b63f-84710c7967bb] Setting HTTP status code 204.
[17:18:16 INF 800199b1-0003-f300-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /antiforgery'
[17:18:16 INF 800199b1-0003-f300-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/antiforgery - 204 null null 178.3109ms

Now send request to /weatherForecast with X-XSRF-TOKEN header with value CfDJ8FgdKkEI3ZxNoJ16s53NvIaaQKCExBY2ei-8NqdebEYy_nGKlVJTtirKRIXNhTRc6wh-rmBLn_8eH7LS6ES6CpNszQppD4jRLxDrUYak1pGlF0aHnFHJ3M9fJBp0fVazHvvFjVKVeLiXSylRS52B2jQ which was taken from above.
Works fine and got the weather data response. Server logs below:

[17:20:35 INF 80001ec0-0001-ad00-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - null null
[17:20:35 INF 80001ec0-0001-ad00-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /weatherforecast'
[17:20:35 INF 80001ec0-0001-ad00-b63f-84710c7967bb] Setting HTTP status code 200.
[17:20:35 INF 80001ec0-0001-ad00-b63f-84710c7967bb] Writing value of type 'WeatherForecast[]' as Json.
[17:20:36 INF 80001ec0-0001-ad00-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /weatherforecast'
[17:20:36 INF 80001ec0-0001-ad00-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - 200 null application/json; charset=utf-8 720.7928ms

Sent the request an additional 4 more times, works fine - all of them returned 200 OK with the expected weather random data.

[17:23:07 INF 80000ca6-0002-4b00-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - null null
[17:23:07 INF 80000ca6-0002-4b00-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /weatherforecast'
[17:23:07 INF 80000ca6-0002-4b00-b63f-84710c7967bb] Setting HTTP status code 200.
[17:23:07 INF 80000ca6-0002-4b00-b63f-84710c7967bb] Writing value of type 'WeatherForecast[]' as Json.
[17:23:07 INF 80000ca6-0002-4b00-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /weatherforecast'
[17:23:07 INF 80000ca6-0002-4b00-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - 200 null application/json; charset=utf-8 200.6874ms
[17:23:37 INF 80000ca7-0002-4b00-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - null null
[17:23:37 INF 80000ca7-0002-4b00-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /weatherforecast'
[17:23:37 INF 80000ca7-0002-4b00-b63f-84710c7967bb] Setting HTTP status code 200.
[17:23:37 INF 80000ca7-0002-4b00-b63f-84710c7967bb] Writing value of type 'WeatherForecast[]' as Json.
[17:23:37 INF 80000ca7-0002-4b00-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /weatherforecast'
[17:23:37 INF 80000ca7-0002-4b00-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - 200 null application/json; charset=utf-8 40.7767ms
[17:23:45 INF 80001f6f-0000-f700-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - null null
[17:23:45 INF 80001f6f-0000-f700-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /weatherforecast'
[17:23:45 INF 80001f6f-0000-f700-b63f-84710c7967bb] Setting HTTP status code 200.
[17:23:45 INF 80001f6f-0000-f700-b63f-84710c7967bb] Writing value of type 'WeatherForecast[]' as Json.
[17:23:45 INF 80001f6f-0000-f700-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /weatherforecast'
[17:23:45 INF 80001f6f-0000-f700-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - 200 null application/json; charset=utf-8 66.2825ms
[17:23:50 INF 80002662-0002-6d00-b63f-84710c7967bb] Request starting HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - null null
[17:23:50 INF 80002662-0002-6d00-b63f-84710c7967bb] Executing endpoint 'HTTP: GET /weatherforecast'
[17:23:50 INF 80002662-0002-6d00-b63f-84710c7967bb] Setting HTTP status code 200.
[17:23:50 INF 80002662-0002-6d00-b63f-84710c7967bb] Writing value of type 'WeatherForecast[]' as Json.
[17:23:50 INF 80002662-0002-6d00-b63f-84710c7967bb] Executed endpoint 'HTTP: GET /weatherforecast'
[17:23:50 INF 80002662-0002-6d00-b63f-84710c7967bb] Request finished HTTP/1.1 GET http://loadbalancerdemo.mydomain.com/weatherForecast - 200 null application/json; charset=utf-8 10.2181ms

Hope this helps.

Let me know if there's anything else I should try.

[bartonjs]

I can't reproduce your problem either with the IsProduction load style or EphemeralKeySet, with either RC1 or RC2.

By the by, I can't help but encourage you to make the following changes:

public static WebApplicationBuilder ConfigureDataProtection(
-    this WebApplicationBuilder builder)
+    this WebApplicationBuilder builder,
+    out X509Certificate2 certificate)
...
-X509Certificate2 certificate;
...
            certificate = X509CertificateLoader.LoadPkcs12FromFile(path, password,
-                X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet |X509KeyStorageFlags.Exportable);
+                X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);

-builder.ConfigureDataProtection();
+builder.ConfigureDataProtection(out cert);

...

-app.Run();
+using (certificate)
+{
+    app.Run();
+}

Otherwise every time you run under IsProduction you gain an extra persisted copy of your key. PersistKeySet should (ideally) only ever be used for a one-time-ever read of a given PFX, when saving the certificate(s) into a persisted X509Store. If you're running in a throwaway container/VM, then I guess it's indistinguishably fine.

[shaneocms]

Appreciate the feedback on the code improvement. Your suggestion prompted me to do a bit of research on how the certificate flags work as admittedly I'm not a security or cryptography expert. I decided to change it to use X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet at all times instead, rather than being dependent on development/production.

It's now working fine in production with the load balancer on .NET 9 RC2. I did try with only X509KeyStorageFlags.EphemeralKeySet first in production, however I was getting an exception "Bad data" until I added back X509KeyStorageFlags.MachineKeySet as well.

I'm not sure why the behaviour is different in .NET 8 vs 9, but if this way is better and it works, then I'm happy with it.

Just a question if I may, should we still dispose of the certificate as per your example if using EphemeralKeySet? My understanding is disposing it removes that file which gets created on disk that you mentioned, but if EphemeralKeySet only stores it in memory, is there anything else that dispose is doing in this case? In the .NET source code, I could see it calls Reset() which sets a bunch of stuff to null and then calls ICertificatePalCore.Dispose() but I couldn't figure out what this is one doing. Just want to get a better understanding.

[bartonjs]

If the process is about to terminate, it's not really important to dispose a cert that has no private key, or has a private key loaded with EphemeralKeySet.

In general, it's still good to dispose of it when you can, since it holds open OS resources. It'll get cleaned up via the garbage collector (then enqueued for finalization, and then eventually cleaned up in the finalizer)... but it's always goodness to close them out when you know you can.