0

Where should a certificate that appears in the Trusted Root Certification Authorities node in certmgr.msc be kept so that an IIS web app can obtain it and sign a SAML Assertion with it? Is there a way to extract the certificate from the certificates "hive" directly, that does not require file-system permissions? Or is it necessary to export the certificate to a folder to which the IIS7 built-in user has access permissions?

The X509Certificate2.Import() method's first parameter is fileName.

If I export the Certificate and put the file in my Visual Studio 2012 Project folders hierarchy and provide a fully qualified path to the Import() method, the cert import succeeds, but only if the application is running in Visual Studio's built-in server, not if it's running in the Local IIS Web Server.

I've tried using the Friendly Name with X509KeyStorageFlags.MachineKeySet but that did not work.

EDIT: This works when using the built-in Visual Studio server but not the LOCAL IIS7 Server in Windows 7:

            certStore = New X509Store(StoreLocation.CurrentUser)
            certStore.Open(OpenFlags.ReadOnly)
            Dim thumbprint As String
            thumbprint = ConfigurationManager.AppSettings("thumb").ToString
            certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, False)
            certStore.Close()
            cert = certCollection(0)

so I need to find out how to give the Default App Pool access to this certificate in Windows 7.

Tim
  • 8,669
  • 31
  • 105
  • 183

1 Answers1

1

You don't "import", just create an instance. Formally, you open a key store and loop through certificates. And yes, you don't need any filesystem permission, however, to access the private key, your application pool identity has to have permission to the key, you set the permission in the certificate snapin of the mmc console.

Edit: the code to access the certificate would be something like:

var store = new X509Store( name, location );
store.Open( OpenFlags.ReadOnly );

foreach ( var cert in store.Certificates )
   ... loop and match, by thumbprint, friendly name or whatever else
Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • Thank you, Wiktor, but I see no way to grant the application pool identity permission to the key in the certificate snap-in of the mmc console, at least not on my development machine running Windows 7. I will try to find how to do this. – Tim Nov 15 '13 at 18:54
  • What object has the Create method? – Tim Nov 15 '13 at 18:58
  • You rightclick the certificate and select the "manage private keys" option (sorry if the option has slightly different name but I use localized Windows 7). From there you add/delete permissions. – Wiktor Zychla Nov 15 '13 at 19:11
  • As for the second question, I mean the constructor, however first you have to open the store and then either find the certificate or enumerate certificates and match the one you search for http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.x509.x509certificatestore.aspx – Wiktor Zychla Nov 15 '13 at 19:13
  • I think the problem is that Windows 7 and Windows Server 2008 may be doing this in different ways. I can use the X509Store.Find method successfully (see edits to my question above) only when the built-in Visual Studio server is used. The Windows 7 certificate snap-in for MMC does not seem to have the context-menu where rightclick on certificate shows a "manage private keys" option. – Tim Nov 15 '13 at 19:42
  • All tasks / Manage private keys. – Wiktor Zychla Nov 15 '13 at 19:51
  • No. sorry, it's not there. All Tasks-> Open, Request Certificate with New Key, Renew Certificate with New Key, Advanced Operations Submenu, Export. And the Advanced Operations Submenu offers Request and Renew options using the same key. Another one of those Windows 7 differences. – Tim Nov 15 '13 at 19:55
  • Ok, I missed the fact that you use the Trusted Certs while you shouldn't. In this case follow this http://stackoverflow.com/questions/10580326/privatekey-trust-permissions-for-local-machine-trusted-roots-certificates The option to manage private keys is available at the personal store so you need the described trick. However, I recommend you load your certs from the personal store. – Wiktor Zychla Nov 15 '13 at 20:17
  • Thanks much, Wiktor, for the help. – Tim Nov 20 '13 at 21:00