Login/Register
User account has no access to private key of Client certificate
Asked Answered
Solved c#ssl-certificatex509certificatemmc
R

4

5

I have a scenario where I am using certificate in my code to trigger an action. After importing certificate to my local machine and running c# code, it throws private key access issue with error 'User account has no access to private key of Client certificate'. Any pointer which can resolve the issue or can make me debug through the issue?

What I did: Run - certlm.msc Personal - certificates - all tasks - import - Local machine - browse my .cer file

What I tried to resolve(but can not resolve): Run - certlm.msc Personal - certificates - My certificate - right click - all tasks - manage private key - add "Network Service" with full control. I tried to add my mail id or username but it did not allow to add.

Error: System.InvalidOperationException: 'User account has no access to private key of Client certificate'

Config:

<system.serviceModel>
        <behaviors>
            <endpointBehaviors>
                <behavior name="ClientBehavior">
                    <clientCredentials>
                        <clientCertificate findValue="xxxx-correct thumbprint-xxxxxxx" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />  
                    </clientCredentials>
                </behavior>
            </endpointBehaviors>
        </behaviors>
</system.serviceModel>
Rubstone answered 22/9, 2022 at 20:53 Comment(6)
A certificate gets loaded in the registry under both machine and user. Looks like you are looking for certificate in location LocalMachine. See learn.microsoft.com/en-us/windows/win32/seccrypto/…Halflight
Do you mean, you want me to try changing storeLocation="LocalMachine" storeName="My" to something else?Rubstone
Where is the private key?Sinaloa
Yes. If you are not running As Admin you cannot read certificate on the machine.Halflight
@jdweng, I am running visual studio in admin mode and I am seeing the private key access issue.Rubstone
#40047416Dynamiter
R
0

After weeks of struggle, I am able to find the resolution for the issue. I am running visual studio as administrator but after few trails, I tried running visual studio as a specific user(shift + right click on visual studio short cut), entered my credentials and opened visual studio. The issue is resolved by opening visual studio as a specific user with my credentials.

Rubstone answered 13/10, 2022 at 22:26 Comment(0)
C
6

There may be several options for why the problem occurs.

You can try:

Add the user account to the local machine's certificate store. To add user account to local machine certificate store, You use command: certutil -user -addstore "My" "C:\Users\username\Documents\certificates\client.pfx"

Import the certificate, you can use the following command: certutil -user -importpfx "C:\Users\username\Downloads\cert.pfx"

Add the user account to the certificate's private key access control list (ACL). You can do this by running the following command in an elevated command prompt: certutil -user -setreg . For example, if your certificate's thumbprint is 1234567890ABCDEF and your user account is MyUser , you would run the following command: certutil -user -setreg 1234567890ABCDEF MyUser .

You can find the thumbprint of your certificate by running the following command in an elevated command prompt, in this command the Thumbprint is called the "Cert Hash": certutil -store my .

You can find the user account by running the following command in an elevated command prompt: whoami /user .

And finally can try use code to import certificate to local machine. Example:

public static void ImportCertificate(string certificatePath)
{
    X509Certificate2 certificate = new X509Certificate2(certificatePath);
    X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadWrite);
    store.Add(certificate);
    store.Close();
}

Please let me know if any option worked.

Canst answered 25/9, 2022 at 23:37 Comment(4)
Thanks for very useful information. How ever both certutil commands you suggested result in same error. I double verified correct pfx path(C:/mycert.pfx) and elevated mode. any suggestions? My "Personal" CertUtil: -addstore command FAILED: 0x80092009 (-2146885623 CRYPT_E_NO_MATCH) CertUtil: Cannot find the requested object. CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND) CertUtil: The system cannot find the file specified.Rubstone
The ImportCertificate method requires password used for pfx through code. That method also throwed error where it cannot find password for pfx file.Rubstone
The password is the password you used to export the certificate. If you did not set a password, you can try to use an empty string as the password.Canst
I think you should check the certificate path. You can use the following command to check the certificate path: certutil -store my . And then you can use the following command to import the certificate: certutil -user -importpfx "C:\Users\username\Downloads\cert.pfx" . If you still have problems, you can try to use the following command to import the certificate: certutil -user -importpfx "C:\Users\username\Downloads\cert.pfx" -p password .Canst
E
2

I think you were in the right location when you added the permissions for network service, however as your application is probably not running as network service while debugging you'll need to add your current account with permissions as well.

to figure out what you username is you can use whoami in a cmd window. alternatively in the window where you entered NETWORK SERVICE to give it more permissions there should be an Advanced ... button that will let you search the computer or domain for accounts, if you put in no search value it will give you all accounts, here you can then select your user account and give it full control.

Ellinger answered 2/10, 2022 at 10:4 Comment(2)
My user account is not found in the list. I am local admin but my user name is not found. I tried adding administrator but no luck.Rubstone
i'm assuming you are using an AD account then. then you can change the search scope to the domain and then you should be able to find itEllinger
B
2

How to Grant permission to user on Certificate private key using powershell?

This is also a good way to do it, pretty much wrapped up in PowerShell.

Boner answered 2/10, 2022 at 20:23 Comment(0)
R
0

After weeks of struggle, I am able to find the resolution for the issue. I am running visual studio as administrator but after few trails, I tried running visual studio as a specific user(shift + right click on visual studio short cut), entered my credentials and opened visual studio. The issue is resolved by opening visual studio as a specific user with my credentials.

Rubstone answered 13/10, 2022 at 22:26 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.