Get certificate from LocalComputer store "Store_1" on IIS

Question

I'm working on multi tenant ASP.NET web application for digital signing. For every tenant certificate store named "Tenant_{TenantId}" is created in store location "Local Computer" (StoreLocation.LocalMachine).

Everything works fine from windows application running under account with local administrator permissions. When the same library is used from ASP.NET application hosted on IIS, only "Local System" identity can work with certificates.

I tried with local administrator user account and get exception Access is denied:

 System.Security.Cryptography.CryptographicException: Access is denied.

Are there any restrictions on code under IIS? How to grant user/code read certificates permissions (from specific certificate locations/stores)?

Application is hosted on Windows Server 2012R2 / IIS 8.5 / ASP.NET 4.5

Answer 1

There are 3 options you can try.

1) Use MMC (Certificates snap-in for Local Computer).

If your store (Store1) is listed under "Certificates (Local Computer)" node, find your certificate. If the store is not listed, try to search certificate with command from context menu of "Certificates (Local Computer)" node: Find Certificates... (Find in: All certificate stores). After you have found the certificate, you should drag&drop it to Personal store, then select All Tasks -> Manage Private Keys from its context menu, grant access to accout and finally drag&drop it to your store back.

Based on this answer

2) Use WinHttpCertCfg.exe to grant access to certificate private key

winhttpcertcfg -g -c LOCAL_MACHINE\<your-store-name> -s <cert-subject> -a <IIS-app-pool-account>

3) If you need to grant access in code take a look at solution in powershell (you can easily implement it in C#)