IIS Hosted SSL WCF Service - Certificate or permissions problem

Question

Before anyone flags this as duplicate from the other barrel full of questions about WCF, I don't want MSDN links and blog article references. I can Google for myself, and have been at this for 3 days, so if all you have are Google links, please abstain.

I'm having a heck of a time with an IIS hosted WCF service using wsHttpBinding and a custom password authenticator. IIS is working fine for my standard ASPX and WCF non-secure services (using wsHttpBinding with security mode="None", but trying security mode="Message" or "Transport" requires an SSL certificate in the mix. I am to the point that I'm getting this error: "The certificate 'CN=SignedByCA' must have a private key that is capable of key exchange. The process must have access rights for the private key."

By my research, either the service hosting my WCF service cannot access the private key file of my certificate, or I didn't generate the certificate correctly.

I generated the keys using:

  makecert -n "CN=TempCA" -r -sv TempCA.pvk TempCA.cer
  makecert -sk SignedByCA -iv TempCA.pvk -n "CN=SignedByCA" -ic TempCA.cer SignedByCA.cer -sr currentuser -ss My

I then imported the TempCA cert into my Trusted Root Certification Authority store, and I imported the SignedByCA.cer into my "Personal" store of the Local Computer. WCF can now see the certificate, but the above error indicates something either permissions problem or a key problem. I tried importing the cert into IIS Admin Service's Personal store as well, no luck.

By the way, I've added this to my web.config for the service:

       <serviceCertificate
          findValue="...."
          x509FindType="FindByThumbprint"
          storeLocation="LocalMachine"
          storeName="My"
          />

I get the error from my client project when I add / update the service reference.

From my research, on Windows 7 I should be able to use the Certificate Manager and right click on the certificate in the MMC snapin and choose All Tasks -> Manage Private Key.. or some such. When I right click the certificate, I do not see that option, I only have these options under All Tasks: [Open, Request Certificate With New Key, Renew Certificate With New Key, Export...] This leads me to believe it is a cert problem and not a priv problem.

Thanks in advance.

Answer 1

After regenerating a .PFX file (PKCS #12 Certificate) http://msdn.microsoft.com/en-us/library/ms867088.aspx (create a .spc file with cert2spc.exe and a .pfx file with pvk2pfx.exe) and loading the .pfx file into the Certificate store, this exposes the "Manage Private Key" option. The original problem was following the MSDN instructions blindly and using a .CER public certificate file, which was not adequate for key exchange. The .PFX file does the trick. Now I'm able to add permissions for users / services to Read the key.

I also found that IIS7 on Windows7 was not running under the normal documented identity "NETWORK SERVICE" or "LOCAL SERVICE" but was running under "ApplicationPoolIdentity". So after I switched the identity, that issue resolved, (just another annoyance in getting WCF off the ground).