tags:

views:

611

answers:

2
Q: 

X509 Public Cert and Permissions

I’ve got an issue with loading a particular X509 certificate within an ASP.NET application (i.e. not through IIS for https). I’ve loaded it into my ‘Personal’ and ‘Trusted Root’ stores on my local machine (through the MMC snap in) but can’t load it from either store.

It seems the NETWORK SERVICE account doesn’t have permissions to read/load it because when I change the app pools identity to a user with administration rights I can find, load and use the cert.

It’s only a public cert, so unlike a cert with a private key, I can’t see anywhere to set permissions on it.

It’s odd because I haven’t had this problem with public certs in this application previously. The only difference I can see to this public cert and previous public certs (which loaded fine) is that this particular public cert has be signed by Verisign and therefore has a certification chain with a couple of other verisign certs.

Thanks in advance,
Charles

FYI, My dev enviroment is just my Vista Business machine with IIS7.

+1  A: 

It's been a while, but I seem to recall having had permission-related certificate issues that I solved by importing the cert into a physical store (click the "Show physical stores" check box when installing your certificate).

Alternatively, you could take a look with FileMon or ProcMon and check for Access Denieds for NETWORK SERVICE. This MSDN page lists the locations of the stores on disk.

Still remains a vague answer, but hopefully this eventually leads to a solution...

Arnout  2008-12-03 19:49:00
Ok... So now I've clicked 'show physical stores' there is a 'Registry' folder under 'Personal' and under 'Trusted Root Certification Authorities' there are 'Registry', 'Local Computer', and 'Smart Card' folders. Any idea where to go from there?
Charlino  2008-12-03 19:55:46
Sorry, like I said, it's been a while... I've added an alternative troubleshooting approach to my "answer", though.
Arnout  2008-12-04 16:41:28
A: 

Couple different thoughts. I'm a little confused by how you are using the term "cert with a private key" and what you mean by "use the cert" after you have tried to access it with admin rights. I'm guessing that you are trying to do one of the following:

  • get a copy of the certificate and do something like verify it, or use it to encrypt something.

  • get a copy of the certificate and the private key, and use it to do something like sign something.

So... if it's #1, my first bet is that the settings for the certificate have messed up something in the ASP.NET protocols. Verisign would have configured the profile used to generate and sign the certificate in a specific way. This would give the certificate settings that you can't change that might interfere with uploading the certificate. I would check the certificate that gives you problems against the certificates that don't have any problems and see how the extensions on the certificates vary. You can do this through the IE certificate preview pane in the client. Check into any different settings that you find online - there are usually published reports about Microsoft integration issues.

Sadly, if you find a problem, you have to go back to Versign and get a new certificate signed with the correct extensions. If you have a corporate account, ask to talk to their upper tier support, they should be clueful enough to help you find a certificate profile that will work for your tools.

If it's #2 - you may have made the private key for the certificate non-exportable. I'm assuming you're using a software certificate and you uploaded a PKCS12 or other certificate storage file into the browser. At that time, it would have asked if you wanted to be able to export the private key. If you said no (left the box unchecked), then the private key won't leave the browser.

If you have the original certificate/private key storage file around, the answer is painless - delete the cert from your personal certificate store, and reupload it. Be sure to check the exportable box.

bethlakshmi  2008-12-31 00:51:08
Bit late but... I was trying to use the cert to verify something that had been signed.It was a SAML2 implementation where the public cert I had given to me had previously worked fine for a number of different vendors. I ended up reading/loading the cert in from the Identity Providers metadata.
Charlino  2009-03-16 04:40:35

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps