WCF - It is likely that certificate ... may not have a private key that is capable of key exchange

Question

I am trying to facilitate encrypted SOAP messaging in my WCF service. In order to do this, I have to install and configure a certificate for production. When I use the existing machine certificate, everything works fine. But I don't want to use that certificate, so I created a new one that I got via the Active Directory Certificate Service using the "Web Server" template. When I implemented this certificate in the Web.config, now I receive this error message when attempting to view the WSDL:

Keyset does not exist. It is likely that certificate 'CN=myservice.mydomain.com, O=My Company, L=My City, S=My State' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.

I have seen plenty of help responses for this issue, but most of them just assume that I have a permissions issue, or that my cert is in the wrong store, or that my application pool is running under a different account.

Here is a summary of everything I have checked:

1. I have confirmed (using winhttpcertcfg and MMC) that my certs are in the same store (LOCAL_MACHINE\My) and they both have the same rights assignments.
2. I have confirmed my IIS app pool is running under the NETWORK SERVICE and even tried restarting the pool.
3. Both certificates are issued and signed by the same CA, which is in the Trusted Root CA store folder.
4. Both certificates show the Key Usage as "Digital Signature, Key Encipherment (a0)"

Is there something else I need to look at to ensure that my new cert is capable of key exchange?

Answer 1

After much turmoil and hair-pulling, I have finally solved my issue, and now I'm going to share it with you...

First of all, I determined that a lot of the advice on the web regarding this subject is outdated. In my environment at least (IIS 7 and Windows 2008) the web CA interface /certsrv is no longer necessary, and neither is winhttpcertcfg. Both are replaced by the MMC.

In the end, what I had to do was:

1. Use Certificate Templates Console to install a new certificate template on my CA
   • Duplicate the existing Web Server template
   • Make sure to use Windows Server 2003 version (because 2008 causes "invalid provider type specified" errors)
   • Mark the private key as exportable (still not entirely sure why/if this was necessary but many posts recommended this)
   • Give "Domain Computers" and "Authenticated Users" the "Enroll" right under the Security tab
2. Use Certification Authority to "Issue" the new certificate template
3. Using the Certificates snap-in in the MMC on the web server, request the new certificate
   • From the Personal\Certificates folder, right click, and choose All Tasks -> Request New Certificate. This is a nice simple alternative to the /certsrv web CA interface.
   • Make sure to specify the Common Name field when prompted for additional info.
4. Grant rights for the NETWORK SERVICE to the new certificate by right clicking the cert and choosing All Tasks -> Manage Private Keys. (This was a nice simple alternative to using winhttpcertcfg)

I did not find any one article or blog post that provided all this information in one place, I had to cobble it together from six or seven different recommended solutions. Hopefully this serves to save someone else from the headaches I have endured.