Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.net permissions to root certificate store

Is it possible to give asp.net read permission to the certificate store?

If yes , how?

If no... do I need to set the permission manually per certificate file?

If yes where are these files physically on the HDD?

like image 273
JL. Avatar asked Aug 13 '09 11:08

JL.


People also ask

How do you give Asp Net access to a private key in a certificate in the certificate store?

We found a way around this which worked for us. Drag and drop the cert to Personal, do the Manage Private Keys thing to grant permissions. Remember to set to use object-type built-ins and use the local machine not domain. We granted rights to the DefaultAppPool user and left it at that.

How do I give permission to certificate?

Right click on the certificate. Click on Add under Group or usernames section. Add new Users or Groups, then Click OK and Allow appropriate access for newly added Users or Groups.

Can I configure my app to require a certificate only on certain paths?

Can I configure my app to require a certificate only on certain paths? This isn't possible. Remember the certificate exchange is done at the start of the HTTPS conversation, it's done by the server before the first request is received on that connection so it's not possible to scope based on any request fields.

How do Windows certificates work?

The primary function of a certificate is to authenticate the identity of the owner of the certificate to others. A certificate contains the public key of the owner, while the owner retains the private key. The public key can be used to encrypt messages sent to the owner of the certificate.


1 Answers

Generally you give permissions to A certificate. I use a method like this to find the custom made cert and grant permissions. If you are using a cert issued by a public entity like Verisign, Thawte, etc, this is probably unnecessary.

FindPrivateKey.exe My LocalMachine –n "CN=<certificate issuer>" 

...will find certificates on the local machine in the personal store for a particular issuer.

Note: If FindPrivateKey is not on your local machine, download the WCF samples, including the FindPrivateKey tool, at http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21459

FindPrivateKey returns the location of the private key for the certificate, similar to

"C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030".

Run the following command line to assign read only access permissions to the process identity of the ASP.NET/WCF Service

cacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\4d657b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030" /E /G "NT AUTHORITY\NETWORK SERVICE":R 

NOTE: If you are running Microsoft Windows® XP, give the certificate permissions for the ASPNET identity instead of the NT Authority\Network Service identity, because the IIS process runs under the ASPNET account in Windows XP.

Certificates are viewable from the MMC snap in for Certificates. Open MMC, choose File --> Add/Remove Snap in, click the add button and choose certificates. From here you will need to choose the appropriate store (usually Computer Account - Local Computer for ASP.NET items) to manage and then you can view/admin the certs.

Please take a good hard look at the different command line options, and make sure that you have a clear understanding of what certificates are and how they work before granting any permissions.

like image 138
StingyJack Avatar answered Sep 17 '22 11:09

StingyJack