2

See this: X509Certificate - Keyset does not exist

I am attempting to sign a certificate using a web service on IIS 8. I thought it would be as simple as installing a PFX on a server, and then the web service could simply use that certificate (from the store) and sign an executable (these executables are created on demand, and signed by our service, at least that's the idea behind it).

I've exhaused all of the options linked to the above question, I've navigated to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, and added EVERYONE to the files to see if I can narrow down that it is (in fact) a permissions issue. I've attempted running MMC and added the snap-in for service\computer accounts, I've ensure that upon installing the certificate it was marked as exportable, I've even attempted to add, in the web service itself, code which would basically add the certificate to the store itself: i.e. 

   X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
   store.Open(OpenFlags.ReadWrite);
   store.Add(cert);
   store.Close();

Any ideas? Is there another way that I could determine (for sure) if it is actually a permissions issue? Is there no way to sign a certificate without having the certificate in the machine's store (i.e. signtool.exe allows it).

Also, for reference, I used the class found here: Has anyone got any code to call SignerSignEx from C#? for signing the certificate. I've scoured the internet and most of the solutions are very much the same: permissions on the GUID cert files themselves. Any help on this would be greatly appreciated.

Community
  • 1
  • 1
Mani5556
  • 394
  • 2
  • 12
  • 33
  • 1
    1. How do you find your certificate? By thumbprint? 2. IIS requires to have certificate in LocalMachine and you must give IIS process permission to that certificate. Usually I do it this way - right click certificate in MMC -> All tasks -> Manage Private keys (or smth like that since my windows is not US). – nikita Mar 17 '16 at 08:32
  • We gave the AppPool access to the certificate through MMC, yes. Also, the certificate was installed on the LocalMachine (by administrator). – Mani5556 Mar 17 '16 at 17:16
  • And I find the certificate by thumbprint, yes. – Mani5556 Mar 17 '16 at 18:46
  • 1
    Please run `certutil -store my` command as administrator in cmd. It should test all certificates in LocalMachine\My store for encrypt/decrypt. That will tell you whether private key and the certificate are matched correctly. – pepo Mar 17 '16 at 19:41
  • 1
    Try give 'everyone' permission through mmc. Are you sure that you successfully find certificate by thumbprint? In mmc there are some non visible characters in thumbprint string, so if you just copy/paste from there you will never find certificate. – nikita Mar 18 '16 at 05:00
  • Did all that, gave everyone permissions, I am definitely finding the certificate by thumbprint properly in code (after dealing with the non-visible characters); I think I've made progress, except I am now getting a "The handle is invalid" error. Any further ideas? – Mani5556 Mar 18 '16 at 18:38
  • Stack trace would be helpful – nikita Mar 19 '16 at 07:57

0 Answers0