PRB: X509Certificate Supports Only DER-Encoded Certificates

Article translations Article translations
Article ID: 318217 - View products that this article applies to.
This article was previously published under Q318217
This article refers to the following Microsoft .NET Framework Class Library namespaces:
  • System.IO
  • System.Security.Cryptography.X509Certificates
  • System.Text
Expand all | Collapse all


When you use the System.Security.Cryptography.X509Certificates.X509Certificate class, you may receive the following error message:
Input data cannot be coded as a valid certificate.
This problem occurs if one of the following conditions is true:
  • You use the X509Certificate constructor and pass an array of bytes that are read from a Base64-encoded X.509 (.cer) file to the X509Certificate constructor. -or-

  • You use the X509Certificate.CreateFromCertFile method and pass in the path to a Base64-encoded X.509 (.cer) file.


This problem occurs because the X509Certificate class only supports binary X.509 (.cer) certificates that are encoded in Distinguished Encoding Rules (DER).


If the certificate is Base64-encoded, follow these steps to resolve this problem:
  1. Remove the following strings from the certificate data:
    -----END CERTIFICATE-----
  2. Decode the Base64 certificate data. For example, the following Visual C# sample code decodes Base64 certificate data:
    using System;
    using System.IO;
    using System.Security.Cryptography.X509Certificates;
    using System.Text;
    namespace ReadBase64Cert
        public class ReadBase64Cert
            public ReadBase64Cert()
            public static void Main(string[] args)
                if (args.Length < 1)
                    Console.WriteLine("Usage: Base64EncodedFile (.cer)\n");
                // args[0] - Base64Encoded .cer file
                // Open the certificate, and read it into a byte array.
                FileStream certFile = new FileStream(args[0],
                int size = (int)certFile.Length;
                byte[] certBytes = new byte[size];
                size = certFile.Read(certBytes, 0, size);
                // Remove the unnecessary characters.
                String certString = Encoding.ASCII.GetString(certBytes);
                StringBuilder sb = new StringBuilder(certString);
                sb.Replace("-----BEGIN CERTIFICATE-----", "");
                sb.Replace("-----END CERTIFICATE-----", "");
                // Decode the bytes from base64 to raw bytes.
                certBytes = Convert.FromBase64String(sb.ToString());
                X509Certificate cert = new X509Certificate(certBytes);


This behavior is by design.


Article ID: 318217 - Last Review: October 20, 2003 - Revision: 4.0
  • Microsoft .NET Framework Class Libraries 1.0
  • Microsoft .NET Framework Class Libraries 1.1
kbcrypt kbkernbase kbprb kbsecurity KB318217
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from