locked
How to Grant IIS 7.5 / ASP.NET 3.5 access to a certificate in certificate store?

    Question

  • There seems to be a bug / issue where ASP.NET cannot access the Private key in a certificate. You can replicate the steps to recreate the issue at the below url. If I'm missing something please let me know. Everything is working fine in production on II6 Server 2003 however going to a brand new Server 2008 R2 and IIS 7.5 one cannot give access to a cert in the "Local Computer\Personal" cert store even if you grant "Everyone" full access.

    http://forums.iis.net/p/1166684/1940339.aspx#1940339

    Monday, April 12, 2010 8:14 PM

All replies

  • Hi,
     
    I built a project with your code (slightly modified due to some changes
    in System.Cryptography) with .Net 4.0 and I didn't seem to have any
    problems:
     
    Cert Private Key
    server.domain.com True
    serveraltname.domain.com True
     
    In terms of permissions System and Administrators have Full control and
    Read on the private keys of the certificates in the Local
    Computer\Personal\Certificates store. Were you able to find a solution yet?
     
     
    <asp:Repeater ID="repeater1" runat="server">
    <HeaderTemplate>
    </HeaderTemplate>
    <ItemTemplate>
    </ItemTemplate>
    <FooterTemplate>
    Cert
    Private Key
    <%#((X509Certificate2)Container.DataItem).GetNameInfo(X509NameType.SimpleName,
    false) %>
    <%#((X509Certificate2)Container.DataItem).HasPrivateKey %>
    </FooterTemplate>
    </asp:Repeater>
     
     
     
    namespace TestWebApp
    {
    public partial class _Default : System.Web.UI.Page
    {
     
    public X509Certificate2Collection Certificates;
    protected void Page_Load(object sender, EventArgs e)
    {
    // Local Computer\Personal
    var store = new X509Store(StoreLocation.LocalMachine);
    // create and open store for read-only access
    store.Open(OpenFlags.ReadOnly);
    Certificates = store.Certificates;
    repeater1.DataSource = Certificates;
    repeater1.DataBind();
    }
    }
     
    public static class Extensions
    {
    public static string HasPublicKeyAccess(this X509Certificate2 cert)
    {
    try
    {
    AsymmetricAlgorithm algorithm = cert.PublicKey.Key;
    }
    catch (Exception ex)
    {
    return "No";
    }
    return "Yes";
    }
     
    public static string HasPrivateKeyAccess(this X509Certificate2
    cert)
    {
    try
    {
    string algorithm = cert.PrivateKey.KeyExchangeAlgorithm;
    }
    catch (Exception ex)
    {
    return "No";
    }
    return "Yes";
    }
    }
    }
     

    -- Mike Burr
    Saturday, June 19, 2010 6:59 PM