IIS 7 and Above
How to Grant IIS 7.5 access to a certificate in certificate store?
Last post Mar 24, 2011 05:48 PM by KingWise
Apr 09, 2010 03:05 PM|icecold_2|LINK
In Windows 2003 it was simple to do and one could use the winhttpcertcfg.exe (download) to give "NETWORK SERVICE" account
access to a certificate.
I'm now using Windows Server 2008 R2 with IIS 7.5 and I am unable to find where and how to set permissions access permissions to a certificate in the certificate store.
This Post showed how to do it in Vista and that winhttpcertcfg features were added into the certificates mmc however it doesn't seem to work with imported certificates or doesn't work anymore on Server 2008 R2.
So does anyone have any idea on how give IIS 7.5 the correct permissions to read a certificate from the certificate store? And also what account from IIS 7.5 that needs the permission.
Please note that it is a ASP.NET application running in IIS 7.5 that needs access. I'm also accessing a newly created certificate store and not one of the other default certificate stores.
Also, posted at:
x509 encryption decryption access certificate
Apr 11, 2010 02:35 AM|lextm|LINK
Winhttpcertcfg is still the tool to use. Please check the application pool that hosts the web application, and grant its identity necessary rights. By default, IIS 7.5 application pools use application pool identities instead of Network Service.
Apr 12, 2010 11:10 AM|icecold_2|LINK
Hmm... winhttpcertcfg failed to install the first time and I thought it didn't work with 2008 R2. I re-downloaded it and it atleast installed this time and seems to work, except i'm getting an error.
The error message is "Error: No account information was found.". It does however says it finds "matching certificate".
I'm assuming I'm doing something wrong with the app pool identity. The following is the command I'm running:
winhttpcertcfg.exe -g -a "IIS APPPOOL\my.domain.com" -c LOCAL_MACHINE\MyStore -s MyCert
I'm not using the DefaultAppPool as it seems to have created a seperate app pool based on the name of the website. "my.domain.com" is the name of the app pool according to IIS 7.5.
What does it seem like I'm doing wrong? When I look at the w3wp.exe in task manager I do see that it is using the my.domain.com account.
Edit: Also, is there a way to see the identities that are in the IIS AppPool? Such as ACL GUI ("Select Users or Groups Dialog")? I know you can type it in and find them, but I would like to see a list of them to make sure that the app pool identity that
i'm getting is correct.
Apr 12, 2010 02:51 PM|icecold_2|LINK
I don't think this is the issue as when I run the winhttpcertcfg.exe with the List, "-l" on the cert i see it has permissions, however there is still something blocking the code from accessing the private key as accessing the public key works just well.
Is there something special in IIS 7.5 (2008 R2) that needs to be done to allow C# 3.5 access to the private key in a ASP.NET application? I've also tried using the Local Computer\Personal cert store and that also does not work. I've also given "Everyone" full
access permission and it still doesn't work. There seems to be an issue / bug with accessing the private key of a certificate in IIS7.5 / ASP.NET / 2008 R2.
Please note that this works fine on Windows Server 2003 whether it is in the Local Computer\Personal or in store an administrator creates.
Any help is much appreciated as keeping a certificate on the hard drive is not an ideal solution.
Apr 12, 2010 03:50 PM|icecold_2|LINK
Create a certificate with a private key and import it into the "Local Computer\Personal" cert store.
In Windows Server 2008 R2, go into the certificates mmc and right click on the certificate you just imported and "All Taks --> Manage Private Keys" and add "Everyone", "IIS AppPool\DefaultAppPool" or other user or app pool account that the IIS 7.5 app pool
is using (ApplicationPoolIdentity).
Create an ASP.NET website using the below code and publish it to IIS 7.5, this code will list all certs in the "Local Computer\Personal" folder and let you know if you have access to the public or private key. No matter what permissions you give using mmc
"Manage Private Keys" you cannot access the private key. Am I missing something?
Add the following code in a project to the Default.aspx.cs
public partial class _Default : Page
public X509Certificate2Collection Certificates;
protected void Page_Load(object sender, EventArgs e)
// Local Computer\Personal
var store = new X509Store(StoreLocation.LocalMachine);
// create and open store for read-only access
Certificates = store.Certificates;
repeater1.DataSource = Certificates;
public static class Extensions
public static string HasPublicKeyAccess(this X509Certificate2 cert)
AsymmetricAlgorithm algorithm = cert.PublicKey.Key;
catch (Exception ex)
public static string HasPrivateKeyAccess(this X509Certificate2 cert)
string algorithm = cert.PrivateKey.KeyExchangeAlgorithm;
catch (Exception ex)
Add the following code in a project to the Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>
<%@ Import Namespace="System.Security.Cryptography.X509Certificates" %>
<FORM id=form1 runat="server">
<?xml:namespace prefix = asp /><asp:Repeater id=repeater1 runat="server">
<TD>Public Key </TD>
<TD>Private Key </TD>
<TD><%#((X509Certificate2)Container.DataItem).GetNameInfo(X509NameType.SimpleName, false) %></TD>
Apr 13, 2010 12:14 PM|icecold_2|LINK
Ok. I've tried many different things (list below) and none of them allow ASP.NET access to a private key in IIS 7.5 on Windows Server 2008 R2. There has to be a MAJOR bug or ISSUE or something changed that was undocumented.
Not being able to do this in my eyes is a huge security issue as I'm going to have to bypass this and put the certificate as a physical file not maintained by the certificate store.
Where can I submit this as a bug to Microsoft so this can get fixed?
Apr 13, 2010 09:44 PM|lextm|LINK
Please understand that we have helped our customers on such issues before and there is no bug. If you would like to get assistance from Microsoft support team, please open a support case via
Mar 24, 2011 04:57 PM|KingWise|LINK
Mar 24, 2011 05:48 PM|KingWise|LINK