X509Certificate - Keyset does not exist

Question

I have a WinForms application that consumes a WCF, and pass as a parameter to a function a certificate:

mySvcClient.SendDocument(cert.Export(X509ContentType.SerializedCert, "password")); ... 

In WCF service, I recreated the certificate from the array of bytes:

public void SendDocument (byte[] binaryCert) {         X509Certificate2 cert = new X509Certificate2(binaryCert, "password"); ... 

But when using the certificate to sign a xml, I got the error "Keyset does not exist":

if (cert.HasPrivateKey) // WORKS!!! {        signedXml.SigningKey = cert.PrivateKey; // THROW "keyset does not exist" EXCEPTION ... 

In my computer, the application works 100%! But in the WebServer, I got this error!

The question is: even X509Certificate2 recreated from an array of bytes, I need some special permission to access private key?

Thank you!

Answer 1

If you are using windows server 2008 or windows 7, then you need the permission to read private key.

1. use FindPrivateKey tool to find path. For example:

FindPrivateKey My LocalMachine -n "CN=MyCert" –a

it returns the path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys[File Name]

2. Go to that path and open file properties

3. Go to security tab

4. Click on "Edit" then "Add"

5. In opened dialog write: IIS AppPool\[your application pool name] and click OK

Now your application pool has permission to read this private key.

Answer 2

I have faced this issue, my certificates where having private key but i was getting this error("Keyset does not exist")

Cause: Your web site is running under "Network services" account or having less privileges.

Solution: Change Application pool identity to "Local System", reset IIS and check again. If it starts working it is permission/Less privilege issue, you can impersonate then using other accounts too.