Login/Register
PrivateKey trust permissions for local machine "Trusted roots" certificates
Asked Answered
Solved windows-7iis-7certificatewindows-server-2008-r2private-key
G

3

7

I have a certificate that has to be imported into Certificates/Trusted Root Certification Authorities and has a corresponding private key.

To actually access the key from code you need to set private key permissions to grant full access to particular IIS application pool. I totally understand that but the problem is that this can only be set on personal certificates and not trusted root ones.

I've tried adding the same certificate to Personal store and the following code doesn't break:

X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);

foreach (X509Certificate2 cert in store.Certificates)
{
    if (cert.HasPrivateKey)
    {
        // access private key here
    }
}

store.Close();

Setting permissions on certificate in personal store works if I change StoreName.Root to StoreName.My. I'm able to access it there. But I'm not able to access it in root. It just says:

Keyset does not exist

Any suggestions?

Additional information

If I set my application pools identity to Local System (which has total permissions over my machine) I can successfully access private key. So the main question is how do I set permissions on my application pool identity to have access to private keys for certificates in the Trusted Root store.

Why trusted root store and not personal?
I have a pre-built assembly that accesses this certificate in this particular store, so simply placing the certificate in Personal store won't do the trick for me. That's why setting trust permissions on private keys of trusted root certificates is imperative.

Griswold answered 14/5, 2012 at 9:4 Comment(0)
R
8

I haven't tried this with the Trusted Root Certification Authorities but what I have found is the simplest thing to do with other Certificate Stores is to drag and drop the certificate into the Personal Store and then set permissions and then drag and drop back to the original certificate store. In your case the Trusted Root Certification Authorities.

Steps using Certificates MMC:

  1. Import certificate to the store you want it and mark keys as exportable. (You might be able to bypass this and import directly to the Personal Store, but I haven't tried.)
  2. Drag and drop the imported cert to the Personal Store.
  3. Right click the certificate in the Personal Store and in the context menu, click "All Tasks", then in the submenu click on "Manage Private Keys". Set the appropriate permissions according to your app pool as referenced in step 1.
  4. After permissions have been set, drag and drop the certificate back to the original store (in your case the Trusted Root Certification Authorities).
Ruttish answered 15/5, 2012 at 4:24 Comment(6)
+1 This is a very interesting approach. And to confirm your process it works for the trusted root store as well. Drag, set, drag and you're done. Great!Griswold
@RobertKoritnik: so did that fix ur issue?Ruttish
Yes of course it does. I confirmed in previous comment. It works with Trusted Root store as well. Works. Simple.Griswold
in win2003 server I'm not getting the "Manage Private Keys" from the cert store for Personal/Certificates/<cert> as mentioned. anyone encounter this?Lyell
@Lyell - I'm assuming you're using Windows 2003? If so you need to use winhttpcertcfg.exe to give private key access to the NETWORK SERVICE account (or the account that needs permission). The above link in Step 3 is for Windows 2008 R2 (may work in R1 as well).Ruttish
@Ruttish - thanks, we installed "Microsoft WSE 2.0" and used the "X509 Certificate Tool" to locate the cert in the correct store, then we simply changed the permissions to the file. I'll create another answer for people looking for this solution.Lyell
G
4

Solution

It is possible to set trust permissions on certificates other than those in Personal certificate store, but you can't set permissions via MMC. At least not directly on the store that is. Accepted answer shows a simplified approach with moving certificates around to achieve the same result.

You have to do it this way...

Getting the tool

  1. Get WF_WCF_Samples file from Microsoft. This is a self extracting archive, but you won't need to extract everything. So...
  2. Open the file with any archiver tool and only extract FindPrivateKey solution/project
  3. Open in Visual Studio and compile it.

Finding your private key

  1. Open MMC and add Certificates snap-in. Make sure you select Computer and Local Machine when adding it.

  2. Select the store that has your certificate with private key.

  3. Open private key and copy its Thumbprint

  4. Open command prompt and navigate to the folder where you compiled your FindPrivateKey tool

  5. Enter this command

    FindPrivateKey YourStoreName LocalMachine -t "ThumbprintWithSpaces" -a
    ie.
    FindPrivateKey Root LocalMachine -t "83 45 22 ..." -a

  6. Copy file along with path (it will liekly span over two lines so copy to Notepad and concatenate)

Grant certificate trust

  1. open command prompt and enter:

    icacls "FullPathOfYourPrivateKey" /grant:r "UserFQDN":f
    ie.
    icacls "c:\ProgramData..." /grant:r "IIS AppPool\ASP.NET v4.0":f

  2. Done.

This will grant certificate private key full trust to your user (in my case above it's application pool identity) so you can use the key to sign data or do whatever you need to do with it.

In case you don't want full permissions, you can easily change the last part after colon. It can have many different settings, so I urge you to check icacls command help.

Griswold answered 14/5, 2012 at 15:19 Comment(4)
Browsing the certificates using the MMC my certificate is found @ Personal / Certificates. How can i found the proper value for YourStoreName?Paramatta
@ruionwriting: I don't understand your question. Can you please rephrase it?Griswold
What is the proper 'YourStoreName' for personal certificates?Paramatta
this is it, this is it! thanks Robert K. (re: solves issues for adding read permissions to win 2003 server for an IIS app. god bless the command-line)Lyell
L
3

If you are using Windows Server 2003, you'll notice that you don't get the Manage Private Keys task under your certificate.

If you install Microsoft WSE 2.0 on to your machine, you can use a tool called X509 Certificate Tool. Just search for your cert, its more than likely in (or should be) in Local Machine / Personal Store.

NOTE: if you have your cert in Current User / Personal Store (which often is the default), it will only be accessible to the user that is currently logged in, which means if you want your webserver to access it, it can't without changing permissions to your AppPool.

You should be able to change the permissions to the private key very easily, by default, your AppPool on your webserver will be using NETWORK SERVICE to run your web application. So just add NETWORK SERVICE to the security and by default it will set the Read and Read / Execute permissions which is sufficient for your BouncyCastle, etc, to read the private key so you can sign your document.

Hope this helps.

enter image description here

Lyell answered 26/9, 2012 at 14:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.