X509 Public Certificate and Permissions
I'm having a problem uploading a specific X509 certificate in an ASP.NET application (i.e. not via IIS for https). I have uploaded it to my "Personal" and "Trusted Root" stores on my local machine (via the MMC snap-in), but I cannot load it from either store.
The NETWORK SERVICE account does not seem to have read / load permissions because when I change the application pool ID to an admin user, I can find, download and use the certificate.
Its the only public certificate, so unlike a private key certificate, I can't see anywhere to set rights to it.
This is weird because I had this issue with public certificates in this app earlier. The only difference I can see in this public certificate and previous public certificates (which is fine-loaded) is that this particular public certificate is signed by Verisign and therefore has a certification chain with several other verisign certificates.
Thanks in advance
Charles
FYI, My dev enviroment is just my Vista Business machine with IIS7.
source to share
It's been around for a while, but I seem to remember that I had permissions-related certificate issues, which I resolved by importing the certificate into a physical store (when installing a certificate) check the Show Physical Stores checkbox).
Alternatively, you can look at FileMon or ProcMon and check if the NETWORK SERVICE is denied access. This MSDN page lists the storage locations on disk .
Still an undefined answer, but hopefully this will eventually lead to a solution ...
source to share
A couple of different thoughts. I am a little confused about how you use the term "private key certificate" and what you mean by "using the certificate" after you tried to access it with administrator rights. I am assuming that you are trying one of the following:
-
get a copy of the certificate and do something like validation or use it for encryption.
-
get a copy of the certificate and private key and use it for something like a sign.
So ... if this is # 1 , my first bet is that the settings for the certificate messed up something in the ASP.NET protocols. Verisign would customize the profile used to generate and sign the certificate in a specific way. This will give you certificate settings that you cannot change, which may prevent the certificate from loading. I would check the certificate that gives you problems with certificates that don't have any problems and see how the extensions in the certificates change. You can do this through the IE certificate preview pane in the client. Check out any other settings you find on the Internet - there are usually reports of integration issues with Microsoft.
Unfortunately, if you find a problem, you need to go back to Versign and get a new certificate signed with the correct extensions. If you have a corporate account, ask to speak to their top-level support, they should be sophisticated enough to help you find a certificate profile that will work for your tools.
If this is # 2 - you may have made the private key for the certificate not exportable. I am assuming that you are using a software certificate and you have downloaded PKCS12 or other certificate store file to your browser. At the time, he would have asked if you wanted to export the private key. If you said no (this box is not checked), then the private key will not leave the browser.
Once you have the original certificate / private key store file, the answer is painless - delete the certificate from your personal certificate store and reload it. Be sure to check the exported checkbox.
source to share