X509Certificate - Keyset does not exist

BrunoXP picture BrunoXP · Jun 17, 2011 · Viewed 52.6k times · Source

I have a WinForms application that consumes a WCF, and pass as a parameter to a function a certificate:

mySvcClient.SendDocument(cert.Export(X509ContentType.SerializedCert, "password"));
...

In WCF service, I recreated the certificate from the array of bytes:

public void SendDocument (byte[] binaryCert)
{   
     X509Certificate2 cert = new X509Certificate2(binaryCert, "password");
...

But when using the certificate to sign a xml, I got the error "Keyset does not exist":

if (cert.HasPrivateKey) // WORKS!!!
{   
    signedXml.SigningKey = cert.PrivateKey; // THROW "keyset does not exist" EXCEPTION
...

In my computer, the application works 100%! But in the WebServer, I got this error!

The question is: even X509Certificate2 recreated from an array of bytes, I need some special permission to access private key?

Thank you!

Answer

Vano Maisuradze picture Vano Maisuradze · Jul 23, 2011

If you are using windows server 2008 or windows 7, then you need the permission to read private key.

  1. use FindPrivateKey tool to find path. For example:

FindPrivateKey My LocalMachine -n "CN=MyCert" –a

it returns the path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys[File Name]

  1. Go to that path and open file properties

  2. Go to security tab

  3. Click on "Edit" then "Add"

  4. In opened dialog write: IIS AppPool\[your application pool name] and click OK

Now your application pool has permission to read this private key.