views:

2032

answers:

2

Hi
There are two projects in one VS solution: client(wpf app) and а wcf service lib.
I'm using Message security and a custom AspNetMembershipPrivider on th server side to validate username and pass.
As i'm not using Windows security, I had to use certificate on server to establish secure chanell, and what i did:
- opened my local IIS manager and added self-signed certificate named likemy dev machine.
- checked that this certificate appeared in Certificates snap-in under Personal-Certificates
- configured wcf .config to point to that certificate.
- started my client app in VS (and VS also started wcfhost app for my wcf lib)
Everything was fine, wcfhost worked fine and my services worked ok until I rebooted. After reboot wcfhost stated complaining:

The certificate 'CN=xxx' must have a private key that is capable 
of key exchange. The process must have access rights for the private 
key. ---> 
System.Security.Cryptography.CryptographicException: Keyset does not exist

Only thing what helpes is recreating my certificate, and again until reboot. As i stated above my service is running under my user account(local admin), so I don't think that permissions to my c:\Users\xxx\AppData\Roaming\Microsoft\Crypto\RSA\ files is the issue.

The reason I'm using iis manager to create certificated and not makesert etc. is because I want tobe sure everything will be working on my shared osting account I have (there is on option in hosting panel of creating self-signed certificates).

Can anyone assist with this? Thanks

+1  A: 

Hi

Certificates are pretty difficult from my experience (i'm sure others have strolled through it). Seeing as you've had it working, it seems like you're almost there, so my reccomendations revolve around setting certs up in a different way:

  • Use SelfSSL.exe - available as part of the IIS6.0 resource kit with the following command: SelfSSL.exe /T /N:CN=localhost /V:999 /Q (you can replace localhost with servername). This will create the cert and install it in IIS valid for 999 days.
  • Use winHttpCertCfg - available from Microsoft with the following command: *winHTTPCertCfg.exe -g -c local_machine\my -s localhost -a SERVICEACCOUNT* (replaceing localhost and SERVICEACCOUNT accordingly) to give the service account you're running it under access to the certs private key.

Let me know if you have any luck!

Tanner
thanks for advice, and especialy for link to iis kit. there is an realy nice example of deploying certificates (IISCertDeploy.vbs).
A: 

I solved the issue.
I'm running Vista on my dev box with UAC on. A week or so ago I changed the way I start Visual Studio and apparently I didn't notice that I was working in VS started without an option "Run as administrator". Thats why WcfHost lounched by VS also had limited rights. My bad, I rarely restart VS, it is common practice having a VS running for a week or two with for example unreal3 lunched simultaniosly.

By th way can anyone say will I have problems with access rights for the certificates on a shared hosting(IIS7) with Message security? or shall I target Transport security.

Tanner