How to give ASP NET access to a private key in a certificate in the certificate store

Question

I have an ASP NET application that accesses private key in a certificate in the certificates store  On Windows Server 2003 I was able to use winhttpcertcfg exe to give private key access to the NETWORK SERVICE account  How do I give permissions to access a Private Key in a certificate in the certificate store  Local Computer Personal  on a Windows Server 2008 R2 in an IIS 7 5 website   I ve tried giving Full Trust access to  Everyone    IIS AppPool DefaultAppPool    IIS IUSRS   and everyother security account I could find using the Certificates MMC  Server 2008 R2   However the below code demonstrates that the code does not have access to the Private Key of a certificate that was imported with the private key  The code instead throws and error everytime the private key property is accessed   Default aspx  lt    Page Language  C   AutoEventWireup  true  CodeFile  Default aspx cs  Inherits   Default    gt   lt    Import Namespace  System Security Cryptography X509Certificates    gt   lt  DOCTYPE html PUBLIC  -  W3C  DTD XHTML 1 0 Transitional  EN   http   www w3 org TR xhtml1 DTD xhtml1-transitional dtd  gt   lt html xmlns  http   www w3 org 1999 xhtml  gt   lt head runat  server  gt       lt title gt  lt  title gt   lt  head gt   lt body gt       lt form id  form1  runat  server  gt       lt div gt           lt asp Repeater ID  repeater1  runat  server  gt               lt HeaderTemplate gt                   lt table gt                       lt tr gt                           lt td gt                              Cert                          lt  td gt                           lt td gt                              Public Key                          lt  td gt                           lt td gt                              Private Key                          lt  td gt                       lt  tr gt               lt  HeaderTemplate gt               lt ItemTemplate gt                   lt tr gt                       lt td gt                       lt     X509Certificate2 Container DataItem  GetNameInfo X509NameType SimpleName  false    gt                       lt  td gt                       lt td gt                       lt     X509Certificate2 Container DataItem  HasPublicKeyAccess     gt                       lt  td gt                       lt td gt                       lt     X509Certificate2 Container DataItem  HasPrivateKeyAccess     gt                       lt  td gt                   lt  tr gt               lt  ItemTemplate gt               lt FooterTemplate gt                   lt  table gt  lt  FooterTemplate gt           lt  asp Repeater gt       lt  div gt       lt  form gt   lt  body gt   lt  html gt   Default aspx cs  using System  using System Security Cryptography  using System Security Cryptography X509Certificates  using System Web UI  public partial class  Default   Page        public X509Certificate2Collection Certificates      protected void Page Load object sender  EventArgs e                   Local Computer Personal         var store   new X509Store StoreLocation LocalMachine              create and open store for read-only access         store Open OpenFlags ReadOnly           Certificates   store Certificates          repeater1 DataSource   Certificates          repeater1 DataBind            public static class Extensions       public static string HasPublicKeyAccess this X509Certificate2 cert                try                       AsymmetricAlgorithm algorithm   cert PublicKey Key                    catch  Exception ex                        return  No                     return  Yes             public static string HasPrivateKeyAccess this X509Certificate2 cert                try                       string algorithm   cert PrivateKey KeyExchangeAlgorithm                    catch  Exception ex                        return  No                     return  Yes

User · Accepted Answer

Create   Purchase certificate  Make sure it has a private key  Import the certificate into the  Local Computer  account  Best to use Certificates MMC  Make sure to check  Allow private key to be exported  Based upon which  IIS 7 5 Application Pool s identity use one of the following    IIS 7 5 Website is running under ApplicationPoolIdentity  Open MMC    Add Certificates  Local computer  snap-in    Certificates  Local Computer     Personal    Certificates    Right click the certificate of interest    All tasks    Manage private key    Add IIS AppPool AppPoolName and grant it Full control  Replace  AppPoolName  with the name of your application pool  sometimes IIS IUSRS  IIS 7 5 Website is running under NETWORK SERVICE  Using Certificates MMC  added  NETWORK SERVICE  to Full Trust on certificate in  Local Computer Personal   IIS 7 5 Website is running under  MyIISUser  local computer user account  Using Certificates MMC  added  MyIISUser   a new local computer user account  to Full Trust on certificate in  Local Computer Personal      Update based upon  Phil Hale comment   Beware  if you re on a domain  your domain will be selected by default in the  from location box   Make sure to change that to  Local Computer   Change the location to  Local Computer  to view the app pool identities

User · Answer

For me  it was nothing more than re-importing the certificate with  Allow private key to be exported  checked   I guess it is necessary  but it does make me nervous as it is a third party app accessing this certificate

User · Answer

I figured out how to do this in Powershell that someone asked about    keyname    gci cert  LocalMachine my         thumbprint -like  thumbprint   PrivateKey  CspKeyContainerInfo  UniqueKeyContainerName  keypath    env ProgramData       Microsoft Crypto RSA MachineKeys      fullpath  keypath  keyname   Acl   Get-Acl  fullpath  Ar   New-Object System Security AccessControl FileSystemAccessRule  IIS AppPool  iisAppPoolName    Read    Allow    Acl SetAccessRule  Ar  Set-Acl  fullpath  Acl

User · Answer

Although I have attended the above  I have come to this point after many attempts  1- If you want access to the certificate from the store  you can do this as an example 2- It is much easier and cleaner to produce the certificate and use it via a path  Asp net Core 2 2 OR1   using Org BouncyCastle Asn1  using Org BouncyCastle Asn1 Pkcs  using Org BouncyCastle Asn1 X509  using Org BouncyCastle Crypto  using Org BouncyCastle Crypto Generators  using Org BouncyCastle Crypto Operators  using Org BouncyCastle Crypto Parameters  using Org BouncyCastle Crypto Prng  using Org BouncyCastle Math  using Org BouncyCastle Pkcs  using Org BouncyCastle Security  using Org BouncyCastle Utilities  using Org BouncyCastle X509  using System  using System Collections Generic  using System Linq  using System Security Cryptography  using System Security Cryptography X509Certificates  using System Text  using System Threading Tasks   namespace Tursys Pool Storage Api Utility       class CertificateManager               public static X509Certificate2 GetCertificate string caller                        AsymmetricKeyParameter caPrivateKey   null              X509Certificate2 clientCert              X509Certificate2 serverCert               clientCert   GetCertificateIfExist  CN 127 0 0 1   StoreName My  StoreLocation LocalMachine               serverCert   GetCertificateIfExist  CN MyROOTCA   StoreName Root  StoreLocation LocalMachine               if  clientCert    null    serverCert    null                                var caCert   GenerateCACertificate  CN MyROOTCA   ref caPrivateKey                   addCertToStore caCert  StoreName Root  StoreLocation LocalMachine                    clientCert   GenerateSelfSignedCertificate  CN 127 0 0 1    CN MyROOTCA   caPrivateKey                   var p12   clientCert Export X509ContentType Pfx                    addCertToStore new X509Certificate2 p12   string null  X509KeyStorageFlags Exportable   X509KeyStorageFlags PersistKeySet   StoreName My  StoreLocation LocalMachine                              if  caller     client                   return clientCert               return serverCert                     public static X509Certificate2 GenerateSelfSignedCertificate string subjectName  string issuerName  AsymmetricKeyParameter issuerPrivKey                        const int keyStrength   2048                  Generating Random Numbers             CryptoApiRandomGenerator randomGenerator   new CryptoApiRandomGenerator                SecureRandom random   new SecureRandom randomGenerator                   The Certificate Generator             X509V3CertificateGenerator certificateGenerator   new X509V3CertificateGenerator                    Serial Number             BigInteger serialNumber   BigIntegers CreateRandomInRange BigInteger One  BigInteger ValueOf Int64 MaxValue   random               certificateGenerator SetSerialNumber serialNumber                   Signature Algorithm               const string signatureAlgorithm    SHA256WithRSA                 certificateGenerator SetSignatureAlgorithm signatureAlgorithm                   Issuer and Subject Name             X509Name subjectDN   new X509Name subjectName               X509Name issuerDN   new X509Name issuerName               certificateGenerator SetIssuerDN issuerDN               certificateGenerator SetSubjectDN subjectDN                   Valid For             DateTime notBefore   DateTime UtcNow Date              DateTime notAfter   notBefore AddYears 2                certificateGenerator SetNotBefore notBefore               certificateGenerator SetNotAfter notAfter                   Subject Public Key             AsymmetricCipherKeyPair subjectKeyPair              var keyGenerationParameters   new KeyGenerationParameters random  keyStrength               var keyPairGenerator   new RsaKeyPairGenerator                keyPairGenerator Init keyGenerationParameters               subjectKeyPair   keyPairGenerator GenerateKeyPair                 certificateGenerator SetPublicKey subjectKeyPair Public                   Generating the Certificate             AsymmetricCipherKeyPair issuerKeyPair   subjectKeyPair               ISignatureFactory signatureFactory   new Asn1SignatureFactory  SHA512WITHRSA   issuerKeyPair Private  random                  selfsign certificate             Org BouncyCastle X509 X509Certificate certificate   certificateGenerator Generate signatureFactory                    correcponding private key             PrivateKeyInfo info   PrivateKeyInfoFactory CreatePrivateKeyInfo subjectKeyPair Private                    merge into X509Certificate2             X509Certificate2 x509   new System Security Cryptography X509Certificates X509Certificate2 certificate GetEncoded                  Asn1Sequence seq    Asn1Sequence Asn1Object FromByteArray info PrivateKeyAlgorithm GetDerEncoded                 if  seq Count    9                                  throw new PemException  malformed sequence in RSA private key                               RsaPrivateKeyStructure rsa   RsaPrivateKeyStructure GetInstance info ParsePrivateKey                 RsaPrivateCrtKeyParameters rsaparams   new RsaPrivateCrtKeyParameters                  rsa Modulus  rsa PublicExponent  rsa PrivateExponent  rsa Prime1  rsa Prime2  rsa Exponent1  rsa Exponent2  rsa Coefficient                try                               var rsap   DotNetUtilities ToRSA rsaparams                   x509   x509 CopyWithPrivateKey rsap                      x509 PrivateKey   ToDotNetKey rsaparams                             catch Exception ex                                                              x509 PrivateKey   DotNetUtilities ToRSA rsaparams               return x509                      public static AsymmetricAlgorithm ToDotNetKey RsaPrivateCrtKeyParameters privateKey                        var cspParams   new CspParameters                               KeyContainerName   Guid NewGuid   ToString                    KeyNumber    int KeyNumber Exchange                  Flags   CspProviderFlags UseMachineKeyStore                             var rsaProvider   new RSACryptoServiceProvider cspParams               var parameters   new RSAParameters                               Modulus   privateKey Modulus ToByteArrayUnsigned                    P   privateKey P ToByteArrayUnsigned                    Q   privateKey Q ToByteArrayUnsigned                    DP   privateKey DP ToByteArrayUnsigned                    DQ   privateKey DQ ToByteArrayUnsigned                    InverseQ   privateKey QInv ToByteArrayUnsigned                    D   privateKey Exponent ToByteArrayUnsigned                    Exponent   privateKey PublicExponent ToByteArrayUnsigned                               rsaProvider ImportParameters parameters               return rsaProvider                     public static X509Certificate2 GenerateCACertificate string subjectName  ref AsymmetricKeyParameter CaPrivateKey                        const int keyStrength   2048                  Generating Random Numbers             CryptoApiRandomGenerator randomGenerator   new CryptoApiRandomGenerator                SecureRandom random   new SecureRandom randomGenerator                   The Certificate Generator             X509V3CertificateGenerator certificateGenerator   new X509V3CertificateGenerator                    Serial Number             BigInteger serialNumber   BigIntegers CreateRandomInRange BigInteger One  BigInteger ValueOf Int64 MaxValue   random               certificateGenerator SetSerialNumber serialNumber                   Signature Algorithm               const string signatureAlgorithm    SHA256WithRSA                 certificateGenerator SetSignatureAlgorithm signatureAlgorithm                   Issuer and Subject Name             X509Name subjectDN   new X509Name subjectName               X509Name issuerDN   subjectDN              certificateGenerator SetIssuerDN issuerDN               certificateGenerator SetSubjectDN subjectDN                   Valid For             DateTime notBefore   DateTime UtcNow Date              DateTime notAfter   notBefore AddYears 2                certificateGenerator SetNotBefore notBefore               certificateGenerator SetNotAfter notAfter                   Subject Public Key             AsymmetricCipherKeyPair subjectKeyPair              KeyGenerationParameters keyGenerationParameters   new KeyGenerationParameters random  keyStrength               RsaKeyPairGenerator keyPairGenerator   new RsaKeyPairGenerator                keyPairGenerator Init keyGenerationParameters               subjectKeyPair   keyPairGenerator GenerateKeyPair                 certificateGenerator SetPublicKey subjectKeyPair Public                   Generating the Certificate             AsymmetricCipherKeyPair issuerKeyPair   subjectKeyPair                  selfsign certificate               Org BouncyCastle X509 X509Certificate certificate   certificateGenerator Generate issuerKeyPair Private  random                ISignatureFactory signatureFactory   new Asn1SignatureFactory  SHA512WITHRSA   issuerKeyPair Private  random                  selfsign certificate             Org BouncyCastle X509 X509Certificate certificate   certificateGenerator Generate signatureFactory                 X509Certificate2 x509   new System Security Cryptography X509Certificates X509Certificate2 certificate GetEncoded                  CaPrivateKey   issuerKeyPair Private               return x509                return issuerKeyPair Private                      public static bool addCertToStore System Security Cryptography X509Certificates X509Certificate2 cert  System Security Cryptography X509Certificates StoreName st  System Security Cryptography X509Certificates StoreLocation sl                        bool bRet   false               try                               X509Store store   new X509Store st  sl                   store Open OpenFlags ReadWrite                   store Add cert                    store Close                              catch                                           return bRet                     protected internal static X509Certificate2 GetCertificateIfExist string subjectName  StoreName store  StoreLocation location                        using  var certStore   new X509Store store  location                                 certStore Open OpenFlags ReadOnly                   var certCollection   certStore Certificates Find                                             X509FindType FindBySubjectDistinguishedName  subjectName  false                   X509Certificate2 certificate   null                  if  certCollection Count  gt  0                                        certificate   certCollection 0                                     return certificate                                     OR 2       services AddDataProtection      PersistKeysToFileSystem new DirectoryInfo   c  temp-keys     ProtectKeysWithCertificate          new X509Certificate2 Path Combine Directory GetCurrentDirectory     clientCert pfx     Password              UnprotectKeysWithAnyCertificate          new X509Certificate2 Path Combine Directory GetCurrentDirectory     clientCert pfx     Password

User · Answer

In Certificates Panel  right click some certificate - gt  All tasks - gt  Manage private key - gt  Add IIS IUSRS User with full control In my case  I didnt t need to install my certificate with  quot Allow private key to be exported quot  option checked  like said in other answers

User · Answer

Note on granting permissions via MMC  Certs  Select Cert  right-click  all-tasks   Manage Private Keys   Manage Private Keys is only on the menu list for Personal    So if you ve put your cert in Trusted People  etc  you re out of luck   We found a way around this which worked for us  Drag and drop the cert to Personal  do the Manage Private Keys thing to grant permissions  Remember to set to use object-type built-ins and use the local machine not domain  We granted rights to the DefaultAppPool user and left it at that   Once you re done  drag and drop the cert back where ever you originally had it  Presto

User · Answer

Complementing the answers this is a guide to find the private key of the certificate and add the permissions   This is the guide to get FindPrivateKey exe found in the guide for find the private key of the certificate

User · Answer

If you are trying to load a cert from a  pfx file in IIS the solution may be as simple as enabling this option for the Application Pool    Right click on the App Pool and select Advanced Settings   Then enable Load User Profile

[asp.net] How to give ASP.NET access to a private key in a certificate in the certificate store?

Examples related to asp.net

Examples related to certificate

Examples related to iis-7.5

Examples related to winhttp