IIS7 & X.509 certificates: connecting from asp.net to a web service - where to store certs?

Question

Hi,

I have to make a connection to an XMLRPC site from a web application, which uses an X.509 certificate for authentication. Here on my development machine (Vista), I have the keys installed under my User and it's in my Personal certificates storage; if I run my code, it works well (loading the key from a file):

 X509Certificate clientcert = new X509Certificate(this.certFile, this.password);
 request.ClientCertificates.Add(clientcert);

But I need to install this application on a Windows 2008 Web Server, and I failed to find out how to make it to use this certificate file.

I thought I need to import all corresponding "parent" keys, so I did. I tried importing all of them to the Trusted Root certificates store, but no luck: it still says it's not OK.

Should I use an impersonated account, and have it all the certificates? Should IIS7 be configured anyhow to work with this user/cert store?

Answer 1

I believe there are two certificate stores that IIS would have access to: the machine store, and its services store. In mmc.exe, open the certificates snapin, and connect to the local computer's store. In Personal\Certificates, you should find the server certificate. Try placing your certificate and private key next to it. Alternatively, connect to the service's store (World Wide Web Publishing Service), and place the certificate there into Personal.

Answer 2

The only solution was to

1) Import the root key into LOCAL_MACHINE\Root Certificates store

2) Import the root key into (your user)\Root Certificates store

3) In the asp.net Code, use impersonation like:

<identity impersonate="true" userName="(your user)" password="(your password)" />

For some reason, however IIS7's all processes are running under the NT_AUTHORITY\NETWORK user, installing certificate to NETWORK user's store has no use whatsoever.