5

In my ASP.NET application I'm loading a certificate from the certificate store:

var myCert = CertificateUtils.GetCertificate("thumbprint");

This certificate contains a key pair which is used to decrypt the encrypted application settings.

The certificate is installed in Personal certificate store under the Local Computer. It works well when the application is running under the IIS Express. But if I execute it under the full IIS Web Server, the myCert instance is missing the private key.

The PrivateKey field of myCert object contains an exception:

'myCert.PrivateKey' threw an exception of type 'System.Security.Cryptography.CryptographicException'

I have checked that other fields of myCert object contain same values (like, for example, certificate serial number, thumbprint or expiration), so it seems it's getting the same certificate under both IIS and IIS Express. Only the private key is missing in the case of full IIS.

The only thing I have changed was the Local Development Server in project's properties ("Use IIE Express" / "Use IIS Web Server"). It's running inside the Azure Emulator Express in both cases.

Does anyone have an idea, why is this happenning?

David Ferenczy Rogožan
  • 23,966
  • 9
  • 79
  • 68

2 Answers2

8

Running on IIS Express, the program uses your credentials to access the certificate, while on IIS the pool identity's credentials are used. You can easily check the certificate ACL to see who is allowed or not.

Follow these steps:

  1. Check what Application Pool your web site uses

    Open Internet Information Services Manager, select Sites in the Connections tree on the left. Select your site in the middle panel and click Basic settings under Actions on the right panel.

  2. Check what identity the Application Pool uses

    Select Application Pools in the Connections tree on the left and find the identity in the middle panel. It'll be probably "NETWORK SERVICE".

  3. Add read permissions for the identity used by Application Pool to your certificate

    Open the Microsoft Management Console (mmc), add the Certificates snap-in for local Computer account and find your certificate under Personal certificates. Open its context menu, All Tasks and Manage Private Keys.... Click Add.., enter the identity ("NETWORK SERVICE") and click Check Names and OK. Under Permissions for allow only the Read permission.

    You can read details in this question: How to give ASP.NET access to a private key in a certificate in the certificate store?

Community
  • 1
  • 1
Lex Li
  • 60,503
  • 9
  • 116
  • 147
  • I see. That does make a sense. But what can I do to use that certificate and keys under the full IIS, please? – David Ferenczy Rogožan Oct 08 '15 at 07:57
  • 1
    @DawidFerenczy you can grant the pool identity access to the certificate. It is very easy to do so in mmc's certificate management snap in. – Lex Li Oct 08 '15 at 08:33
  • OK, so I identified the Application Pool used for my application. Identity of this Application Pool is set to "NetworkService", so I need to grant an access to the certificate for this account, right? I have checked the Certificates in MMC, but I wasn't able to find where permissions are configured. Could you help me, please? Also what permission do I need? – David Ferenczy Rogožan Oct 08 '15 at 12:55
  • I have solved it already, this StackOverflow question helped me with a certificate permissions set up: http://stackoverflow.com/questions/2609859/how-to-give-asp-net-access-to-a-private-key-in-a-certificate-in-the-certificate. – David Ferenczy Rogožan Oct 08 '15 at 13:41
  • How to overcome this exception without any IIS settings? – Amruta Feb 03 '17 at 07:50
  • @Sonali you cannot. There is no magic. You must follow the answer to make relevant settings. – Lex Li Feb 03 '17 at 08:51
4

I was having this problem to debug the application ".PrivateKey' threw an exception of type 'System.Security.Cryptography.CryptographicException" I solve like this:

In mmc > Local Computer > Personal > Certificate > right click on certificate > All Tasks > Manage Private Keys: Add "everyone" user and select Total Control.

Tamar
  • 41
  • 1
  • This solution doesn't work in my scenario..I have already set highest permission for almost IUSRS,Everyone,IUSR...but still the same exception of "store.storehandle threw an exception of type system.security.cryptography.cryptographicexception" is fired..Any advice..highly appreciated. – Amruta Feb 03 '17 at 07:53
  • This worked for me. Only had to add "Everyone" with only Read permission. – OpMt Mar 18 '21 at 01:57