IIS 7.5 Can an asp.net application run on HTTPS, without giving ApplicationPool-Identity read permission to certificate storage?

Question

Today my hosting provider said that an ASP.NET application can be accessed via HTTPS, even without giving permissions for the Application's Pool Identity (At least READ-ONLY) to the SSL Certificate Storage.

To simplify someone's research i'd suggest to take a look at THIS link

1. IIS 7.5
2. The project uses the DefaultApplicationPool
3. Identity = ApplicationPoolIdentity

QUESTION: Is the hosting provider faking me? Or in order to reach a website resource through HTTPS protocol of an ASP.NET project, the server MUST have granted access to the ApplicationPoolIdentity of this projects Application Pool?

Remark:

Without giving additional access to: IIS_IUSRS;Users group, NETWORK SERVICE, and other either. Just by leaving the default the "Administrators Group".

Answer 1

The short answer is: No, the hosting provider is not faking you.

The server (IIS) must have access to the private key of corresponding SSL certificate to correctly establish SSL channel with clients. As far as I know IIS server has this permission by default (because World Wide Web Publishing Service runs under local system account and this account has permission to access local machine store by default). On top of IIS server there is app pools hosting your asp.net page.

But if your web page need for some reason to access a certificate in local machine store (i.e. it signs data or does web requests to another url that requires client certificate) then the app pool has to have access to the corresponding private key and you would have to set the permission using the guide that you posted.