Strong-naming with .pfx files

Hi everyone,

I've just installed and configured TeamCity and it seems great, yet I'm unable to build my project. It fails with the following MSBuild error:

error MSB3321: Importing key file ".pfx" was canceled

The .pfx file is a strong-name key pair that requires a password. It was generated in the Visual Studio Signing tab and it's used to sign all of our project's assemblies.

My research indicates that the error is a result of running MSBuild without specifying a password for the .pfx file. When built in Visual Studio it prompts me for the password once and then apparently exports it to the machine's RSA crypto store so that I never have to enter it again.

Is there any way to get this working on our build server so that either TeamCity or MSBuild will retrieve the password from an RSA key container automatically like it does on my development machine?

I've already looked into using aspnet_regiis but the import switch seems to apply only to XML files, not .pfx files (although I didn't actually try). Do I have to create a new key container using aspnet_regiis and then somehow generate another .pfx using the sn.exe tool?

Any help is appreciated :)


Edited by: Dave on Sep 30, 2008 3:14 AM


Hi everyone,

I'm still unsuccessful, but maybe getting warmer.

I just tried importing the .pfx file using the following command on the server that's running TeamCity:

certutil -v -importPFX -user FILENAME.pfx AT_SIGNATURE


I also tried a few variations but nothing worked. Building on the command-line with MSBuild also still prompts me for a password, so obviously MSBuild is using some other approach for the Import Key File dialog but I haven't the slightest idea what it is.

Any help?




I am experiencing the same problem. Did you find the solution for it?



Hi Praveen,

Unfortunately no. I had to resort to using unprotected .snk files.

- Dave


@Dave: I had a similar problem with our builds when we were using What I had to do was run the build once under the account cruise was running manually. Go to your artifact directory and run the build task that's failing (using the checked out files from team city). You'll get a dialog popup asking for the password for your pfx file. Enter it and let the build complete. Then force the build from team city and it should work now. The password for the pfx file is cached under the account that runs it so it'll use that token on subsequent builds.

Good luck!



Thanks for the suggestion, but I had already looked into that and thought it wouldn't work presumably because the TeamCity service is running under an account that cannot logon to Windows. IIRC, it's running under System because I also remember playing around with something under HKEY_USERS/.DEFAULT but that didn't work either.

I guess I could have just tried changing the service account but I didn't want to break TeamCity and have to deal with any permission issues.

- Dave


@Dave: That's true. I don't run my TC under SYSTEM or NETWORK SERVICE because it needs access to drives to write files and generally needs access to a bunch of things (like when it does deploys to other servers) so I have it running under a domain service account we setup. If it's running under a system account I'm not sure how you can get past the pfx issue, sorry.


Hi Dave,

I've been having the same problem for years, and always fixed it by having VS on the machine.

But now! My fix on a machine that only has the .NET framework and not VS:

- Double-click the pfx file to manually import it into the cert store for that user on that machine.
- Change the build agent to run as the user you imported the key as.

Voila! Now my build runs!

Good luck


Please sign in to leave a comment.