Sep 13

After a bad week (where my work machine died), I’ve finished reinstalling everything. This time, I’ve went with Windows 7 and as a bonus, I’ve ended up with IIS 7.5. One of the things I needed to recover my working environment was to configure access to the certificates’ private keys (I have several WCF services which need certificates). In the old days, the solution was to use the httpcertcfg tool and use the command line.

With IIS 7.5 (also available for IIS running in Vista and Server 2008 with SP2), we’ve got a “new” security feature called application pool identities. According to the docs, application pool identities “allow you to run app pools under a unique account without having to create and manage domains or local accounts”. Until now, everything looks good and this is, indeed, an welcomed new feature. Now, my problem was granting access to the private keys of the certificate to that account. Initially, I’ve tried using my beloved winhttpcertcfg tool:

C:Windowssystem32>winhttpcertcfg -g -c LOCAL_MACHINEMy -s mycertificate -a "IIS APPPOOLASP.NET v4.0"

The result: “Error: no account information found.” Not good. I know that I could use the good old FindPrivateKey utility,but I’ve thought that there should be an easy way of doing these things. And yes,there is. I’ve tripped into an even easier way of granting permissions to a private key (interestingly, available since Windows Vista – note to self: start poking around everywhere when new versions of an OS is released!).  Take a look at the following image:


Notice the Manage private keys entry? Yep, that’s just what the doctor ordered! Clicking over that option ends up showing the security dialog and now it’s only a question of adding the correct account (which, if you’re using the new application pool identity, is as easy as writing “IIS apppoolyour pool name”). Cool, right?

12 comments so far

  1. bjohnson
    7:37 pm - 9-21-2010

    luisabreu, You rock! I have been trying for days to get around the Cryptography_CSP_NoPrivateKey error for a private certificate. Applying permissions in the Manage Private Keys with “IIS apppoolyour pool name” worked. Thank you very much.

  2. Marco
    7:42 pm - 12-13-2010

    Hello Luis.

    Beginning with a description of the project:
    developed in mvc loads data from an erp and transformed into xml, which must be signed and sent to a webservice that requires using the same certificate to communicate with the destination server …

    While in the development environment everything went well, the digital certificate was loaded with the private key and the server connection was accepted.

    After publishing the site in iis 7 noticed two things:

    1 – In localhost everything is fine;
    2 – using the server ip csg not load the private key;

    I tried to impersonate my user just to see what was happening, and thus the digital certificate is loaded and the xml is signed but when I try to communicate with the webservice I get the following excapção: “The request was aborted: Could not create SSL / TLS secure channel. ”

    After that, I added the app pool to the permissions of the certificate and I still can not communicate with the webservice …

    The impersonate was just a test … seems that my user has more permissions than the app pool that I created. however if i remove the impersonate i can”t even load the private key.

    Hope you can help me because i”m a little bit stuck in this.


  3. luisabreu
    10:06 pm - 12-13-2010

    Marco, I”m not sure if the problem is setting up the SSL/TLS or if the problem is in your web service getting the private key.

    have you run the basic checks:
    1. check if the certificate is installed
    2. change the user of your app pool so that it runs with admin credentials (just to see if getting the private key is the problem?)

    if it”s getting the https working, don”t forget that the certificate name must match the server name (ex.: http://mymachine/… must use a certificate called mymachine)

  4. Marco
    8:13 pm - 12-14-2010

    Well maybe i”m not explain well… what i want to say is… if i use the visual studio web server, the application loads the certificate, sign the xml, and connects to third party web service.

    if i deploy the web site to my iis 7 and call the web site using http://localhost….. it still works. but if i call http://ip adress/…..

    the client certificate isn”t loaded unless i impersonate my web site, and even when i impersonate the web site i get a the exception “The request was aborted: Could not create SSL / TLS secure channel.”

    i just need the certificate to connect to a third party webservice, its not for a https….

    have you run the basic checks: -> yes more thant just the basics 🙁

    1. check if the certificate is installed – yes it is… as i”ve said before if i use visual studio or call website by http://localhost everything work as was expected, the error only happens when i call it using http://ip adress/…

    2. change the user of your app pool so that it runs with admin credentials (just to see if getting the private key is the problem?) – i already did that i have impersonated the user to an admin acount, i”ve added administrator full permission to the web site folder….

    do you have any ideas?

  5. luisabreu
    9:27 pm - 12-14-2010

    Hello again.

    I”m still not sure if the error you”re having is related with accessing the site in HTTPS or if it”s realted with WCF…

    what about the certificate name? For instance, I”ve had similar errors in the past with simple things like machine name vs machine domain name.. For instance, once I ended up having an error because the certificate”s name was and I was using the URL machinename in the browser!

    You”re saying that you”re using the IP address…that seems like it won”t work if you”re using a named certificate…

    btw, if it”s a WCF problem, then check the identity element (

  6. Marco
    9:55 pm - 12-15-2010

    I”m just consuming the webservice… i”m not developing the webservice and it”s not a wcf service. i have added the web reference to this webservice and for that i needed the certificate. but the certificate was not installed by me. it was installed by the IT manager of the client company…

    what i did was, deploy the web site and configure the certificate as you said.

    the connection is being rejected but the certificate is being loaded and also the private key… the certificate was emitted by a company, i”m thinking if the problem is in a intermediate certificate?

  7. luisabreu
    10:11 pm - 12-15-2010

    That”s also a possiblity. having a certificate isn”t enough: the certificate issuer must be considered a trusted party too (I recall one scenario where we had to install a certificate which identified the issuer on the third-party root certificate authorities)

  8. Marco
    7:40 pm - 12-16-2010

    ok. but how can i know if all the intermediate certificates are enabled for my app pool. in mmc i can see all these certificates, but i don”t know how to validate if they can be acceced by the web site app pool. do you know how?

  9. luisabreu
    9:26 pm - 12-16-2010

    but don”t you know which certificate you”re using? you just need to look at that cert”s prop and ensure that its issuer is known as a trusted third party…