winhttpcertcfg giving access to IIS user in Windows 7

Question

I need to give access to the IIS user to a pfx certificate. The website is running under the App Pool under some user AppPoolUser. IIS automatically has the user name "IIS APPPOOL\AppPoolUser" and this is what we need to give access when we use aspnet_regiis -ga .

However, when i use winhttpcertcfg to give access to the user "IIS APPPOOL\AppPoolUser", it says "No account information was found".

The command I use is

winhttpcertcfg -i <filename> -c <certificateLocation> - g -a <account name>

Didn't find any samples for this over the web. Any ideas?

Answer 1

I know it's an old question, but I just had the same problem yesterday so I though I'd answer.

I had the same problem but with a certificate located in the LocalMachine -> TrustedPeople store...

You have to use icacls instead of WinHttpCertCfg, taken from this link.

Basically, it should look like this:

ICACLS <filename> /grant "IIS AppPool\DefaultAppPool":R

For the sake of completion, here how I needed to do it to access the "Trusted People" store. Taken in part from this link.

1. Use the FindPrivateKey tool from Microsoft to locate the actual file for the cert in the store. This tool must be compiled from the source code in .\WF_WCF_Samples\WCF\Setup\FindPrivateKey\CS from the Windows Communication Foundation (WCF) and Windows Workflow Foundation (WF) Samples for .NET Framework 4 download.

   FindPrivateKey.exe TrustedPeople LocalMachine -t "<thumbprint of the SSL cert>"
   

2. Use icacls on the file given by FindPrivateKey.

   icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\<path to certificate> /grant "IIS AppPool\<your AppPool name>":R
   

Voilà!