views:

611

answers:

2

I’ve got an issue with loading a particular X509 certificate within an ASP.NET application (i.e. not through IIS for https). I’ve loaded it into my ‘Personal’ and ‘Trusted Root’ stores on my local machine (through the MMC snap in) but can’t load it from either store.

It seems the NETWORK SERVICE account doesn’t have permissions to read/load it because when I change the app pools identity to a user with administration rights I can find, load and use the cert.

It’s only a public cert, so unlike a cert with a private key, I can’t see anywhere to set permissions on it.

It’s odd because I haven’t had this problem with public certs in this application previously. The only difference I can see to this public cert and previous public certs (which loaded fine) is that this particular public cert has be signed by Verisign and therefore has a certification chain with a couple of other verisign certs.

Thanks in advance,
Charles

FYI, My dev enviroment is just my Vista Business machine with IIS7.

+1  A: 

It's been a while, but I seem to recall having had permission-related certificate issues that I solved by importing the cert into a physical store (click the "Show physical stores" check box when installing your certificate).

Alternatively, you could take a look with FileMon or ProcMon and check for Access Denieds for NETWORK SERVICE. This MSDN page lists the locations of the stores on disk.

Still remains a vague answer, but hopefully this eventually leads to a solution...

Arnout
Ok... So now I've clicked 'show physical stores' there is a 'Registry' folder under 'Personal' and under 'Trusted Root Certification Authorities' there are 'Registry', 'Local Computer', and 'Smart Card' folders. Any idea where to go from there?
Charlino
Sorry, like I said, it's been a while... I've added an alternative troubleshooting approach to my "answer", though.
Arnout
A: 

Couple different thoughts. I'm a little confused by how you are using the term "cert with a private key" and what you mean by "use the cert" after you have tried to access it with admin rights. I'm guessing that you are trying to do one of the following:

  • get a copy of the certificate and do something like verify it, or use it to encrypt something.

  • get a copy of the certificate and the private key, and use it to do something like sign something.

So... if it's #1, my first bet is that the settings for the certificate have messed up something in the ASP.NET protocols. Verisign would have configured the profile used to generate and sign the certificate in a specific way. This would give the certificate settings that you can't change that might interfere with uploading the certificate. I would check the certificate that gives you problems against the certificates that don't have any problems and see how the extensions on the certificates vary. You can do this through the IE certificate preview pane in the client. Check into any different settings that you find online - there are usually published reports about Microsoft integration issues.

Sadly, if you find a problem, you have to go back to Versign and get a new certificate signed with the correct extensions. If you have a corporate account, ask to talk to their upper tier support, they should be clueful enough to help you find a certificate profile that will work for your tools.

If it's #2 - you may have made the private key for the certificate non-exportable. I'm assuming you're using a software certificate and you uploaded a PKCS12 or other certificate storage file into the browser. At that time, it would have asked if you wanted to be able to export the private key. If you said no (left the box unchecked), then the private key won't leave the browser.

If you have the original certificate/private key storage file around, the answer is painless - delete the cert from your personal certificate store, and reupload it. Be sure to check the exportable box.

bethlakshmi
Bit late but... I was trying to use the cert to verify something that had been signed.It was a SAML2 implementation where the public cert I had given to me had previously worked fine for a number of different vendors. I ended up reading/loading the cert in from the Identity Providers metadata.
Charlino