PrivateKey trust permissions for local machine "Trusted roots" certificates

windows-7 iis-7 certificate windows-server-2008-r2 private-key
Robert Koritnik picture Robert Koritnik · May 14, 2012 · Viewed 19.9k times · Source

I have a certificate that has to be imported into Certificates/Trusted Root Certification Authorities and has a corresponding private key.

To actually access the key from code you need to set private key permissions to grant full access to particular IIS application pool. I totally understand that but the problem is that this can only be set on personal certificates and not trusted root ones.

I've tried adding the same certificate to Personal store and the following code doesn't break:

X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);

foreach (X509Certificate2 cert in store.Certificates)
{
    if (cert.HasPrivateKey)
    {
        // access private key here
    }
}

store.Close();

Setting permissions on certificate in personal store works if I change StoreName.Root to StoreName.My. I'm able to access it there. But I'm not able to access it in root. It just says:

Keyset does not exist

Any suggestions?

Additional information

If I set my application pools identity to Local System (which has total permissions over my machine) I can successfully access private key. So the main question is how do I set permissions on my application pool identity to have access to private keys for certificates in the Trusted Root store.

Why trusted root store and not personal?
I have a pre-built assembly that accesses this certificate in this particular store, so simply placing the certificate in Personal store won't do the trick for me. That's why setting trust permissions on private keys of trusted root certificates is imperative.

Answer

thames picture thames · May 15, 2012

I haven't tried this with the Trusted Root Certification Authorities but what I have found is the simplest thing to do with other Certificate Stores is to drag and drop the certificate into the Personal Store and then set permissions and then drag and drop back to the original certificate store. In your case the Trusted Root Certification Authorities.

Steps using Certificates MMC:

  1. Import certificate to the store you want it and mark keys as exportable. (You might be able to bypass this and import directly to the Personal Store, but I haven't tried.)
  2. Drag and drop the imported cert to the Personal Store.
  3. Right click the certificate in the Personal Store and in the context menu, click "All Tasks", then in the submenu click on "Manage Private Keys". Set the appropriate permissions according to your app pool as referenced in step 1.
  4. After permissions have been set, drag and drop the certificate back to the original store (in your case the Trusted Root Certification Authorities).

Related questions

How can I use a local SMTP server when developing on Windows 7?

How can I get SMTP to work on a Windows 7 development box? I used to just be able to turn on the IIS SMTP server on Windows XP. Is SMTP not included with Windows 7? If so, what can I use …

Read More
How do I create client certificates for local testing of two-way authentication over SSL?

I'm trying to set-up two-way authentication on a web app running on IIS7. The clients are going to mostly be mobile devices and in the first instance I'm trying to get a demo running using a 3rd generation iPad. I …

Read More
How do I get a HTML5 Video to work using IE10

I am hoping someone has an idea on what I can do to help me play HTML5 videos on my local intranet. My Web server= Windows Server 2008 R2 Standard 64bit IIS version= IIS7 Test User environment = Windows 7 Enterprise Video plays …

Read More