Certificate private key throws CryptographicException under IIS Web Server

Question

In my ASP.NET application I'm loading a certificate from the certificate store:

var myCert = CertificateUtils.GetCertificate("thumbprint");

This certificate contains a key pair which is used to decrypt the encrypted application settings.

The certificate is installed in Personal certificate store under the Local Computer. It works well when the application is running under the IIS Express. But if I execute it under the full IIS Web Server, the myCert instance is missing the private key.

The PrivateKey field of myCert object contains an exception:

'myCert.PrivateKey' threw an exception of type 'System.Security.Cryptography.CryptographicException'

I have checked that other fields of myCert object contain same values (like, for example, certificate serial number, thumbprint or expiration), so it seems it's getting the same certificate under both IIS and IIS Express. Only the private key is missing in the case of full IIS.

The only thing I have changed was the Local Development Server in project's properties ("Use IIE Express" / "Use IIS Web Server"). It's running inside the Azure Emulator Express in both cases.

Does anyone have an idea, why is this happenning?

Answer 1

Running on IIS Express, the program uses your credentials to access the certificate, while on IIS the pool identity's credentials are used. You can easily check the certificate ACL to see who is allowed or not.

Follow these steps:

1. Check what Application Pool your web site uses

   Open Internet Information Services Manager, select Sites in the Connections tree on the left. Select your site in the middle panel and click Basic settings under Actions on the right panel.

2. Check what identity the Application Pool uses

   Select Application Pools in the Connections tree on the left and find the identity in the middle panel. It'll be probably "NETWORK SERVICE".

3. Add read permissions for the identity used by Application Pool to your certificate

   Open the Microsoft Management Console (mmc), add the Certificates snap-in for local Computer account and find your certificate under Personal certificates. Open its context menu, All Tasks and Manage Private Keys.... Click Add.., enter the identity ("NETWORK SERVICE") and click Check Names and OK. Under Permissions for allow only the Read permission.

   You can read details in this question: How to give ASP.NET access to a private key in a certificate in the certificate store?

Answer 2

I was having this problem to debug the application ".PrivateKey' threw an exception of type 'System.Security.Cryptography.CryptographicException" I solve like this:

In mmc > Local Computer > Personal > Certificate > right click on certificate > All Tasks > Manage Private Keys: Add "everyone" user and select Total Control.