X509Certificate cannot be located from CurrentUser Store in IIS

Background and Problem

Recently, I developed a website which implements PKI infastructure. On Click of a Button I sign and encrypt a document and send to desired location. During the development I have put the signer certificate in my “Certificates-CurrentUser” store and worked good. But when I deployed the site in production I found that IIS cannot locate the certificate from “Certificates-CurrentUser” store.

Initially I wrote this code and which was the CULPRIT:

object locationCertificate = “SomeCertificate”;

X509Store storeMy = new X509Store(StoreName.My, StoreLocation.CurrentUser);

storeMy.Open(OpenFlags.ReadOnly); X509Certificate2Collection certColl = storeMy.Certificates.Find(X509FindType.FindBySubjectName,locationCertificate, false);


This is obvious that the code above will not work as IIS runs the site using ASPNET User and the Certificates are being imported under my Administrators account. As a result in the production box the code blew up and cerColl returned null.


Solution

To resolve this, I have imported the certificate under “Certificates-LocalMachine” Store and rectified my earlier code as follows.

object locationCertificate = “SomeCertificate”;

X509Store storeLocalMachine = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine);
storeLocalMachine.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certColl = storeLocalMachine.Certificates.Find(X509FindType.FindBySubjectName,locationCertificate, false);


This is not the end of the story, only changing the codes didn’t help, I needed to grant read permission to the certificate to the ASPNET User. You can do this easily using the “X509Certificate Tool” which can be found in the following link.

http://wcf.netfx3.com/files/folders/authorization/entry11442.aspx


 

Conclusion

When a site is deployed in IIS, ASPNET User will not be able to locate Certificates imported in the “CurrentUser” Store. Certificates need to be imported in the “LocalMachine” Store instead, and have to be given read access.

Hope this helps and Thank you for being with me so far.