I'm developing WCF service with Transport Security hosted on IIS 7.5 under Windows 2008R2. I have a certificate, generated in IIS 7.5 which is stored in Local folder.
When I use BasicHttpBinding or WSHttpBinding with Transport Security - everything works fine. But when I change it to NetTcp I get an exception :
CryptographicException 'Keyset does not exist'.
After a bit of googling I found out that the problem can be because my NETSERVICE IIS account doesn't have premission to the private key of my certificate.
The solution could be to set the rights to accesss in MMC by right-clicking on my certificate and selecting "MANAGE PRIVATE KEYS" option. But there is no such option in the select menu!!! The Certificate was created under administrator account and where I open it - it says, that it has private key. What I'm I doing wrong?
To manage private keys in Windows Server 2008Create a Microsoft Management Console (MMC) with the Certificates snap-in that targets the Local Machine certificate store. Expand the MMC and select Manage Private Keys. On the Security tab, add the Network Service account with Read access.
A missing private key could mean: The certificate is not being installed on the same server that generated the CSR. The pending request was deleted from IIS. The certificate was installed through the Certificate Import Wizard rather than through IIS.
In Windows 10 1809, it seems that the Manage Private Keys option is available only to certificates in the Personal store. The workaround is to drag and drop the certificate there, add permissions as needed and drag it back to where you need it.
Assign the existing private key to a new certificateSign in to the computer that issued the certificate request by using an account that has administrative permissions. Select Start, select Run, type mmc, and then select OK. On the File menu, select Add/Remove Snap-in. In the Add/Remove Snap-in dialog box, select Add.
Go to server -> click Start -> Run -> type mmc -> enter -> select Certificates snap-in with Local Computer option -> Go to Console Root-> Certificates-> Personal-> Certificates-> Select a cert-> Right click-> Go to All tasks-> Manage Private Keys-> Add permissions
Manage Private Keys option was missing when I first tried adding the certificates. Finally corrected it by following two steps.
Ran MMC as an administrator. File-> Add or remove Snap-ins-> Select Certificates -> Click on Add button.This will open a dialog. This snap-in will always manage certificate for : choose Computer account. Select the computer you want this snap-in to manage : choose Local computer. Click Finish. Click ok.
When you import the certificates(All tasks -> Import) in the Personal Folder, Make sure you are importing the .pfx file and NOT the .cer file.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With