Reputation: 175
ASP.NET X509Certificate2 access denied when hosted in IIS
I am having the below piece of ASP.NET code to load a pfx file from a folder
var certificatePath = $"{HttpContext.Current.Server.MapPath("~")}{certFolderName}\\{certFileName}";
return new X509Certificate2(certificatePath, certPassword, X509KeyStorageFlags.MachineKeySet);
This code works fine in local IIS. However the same code when moved to our QA servers its throws Access Denied error as below.
I had gone through many forums and got to know that this is mostly a permission issue in accessing the folder C:\ProgramData\Microsoft\Crypto\RSA\MachineKey. I have verified the access for this folder in our server and its all fine. The 'Everyone' user has read & write access. So ideally there shouldn't be any access denied error. I even gave explicit Full Control access to the identity of App Pool, but still doesn't work. I am trying to understand what else could cause this access denied problem.
Upvotes: 4
Views: 1443
Answers (1)
Reputation: 13924
return new X509Certificate2(certificatePath, certPassword, X509KeyStorageFlags.MachineKeySet);
the problem is with last parameter. Your application (app pool identity) doesn't have permissions to access local machine store. You should either use Current User store (for persistent key storage) or ephemeral if the key must be accessed only in runtime.
Upvotes: 1
Related Questions
- Site in Azure Websites fails processing of X509Certificate2
- X509Certificate2 certification issue
- IIS Client certificate not working. Returns 403 error
- IIS has no access to Certificate Store
- HttpClient certificate when hosted in IIS/Asp.NET Application not work
- Why isn't X509Certificate2Collection working in IIS?
- Azure Web Application new X509Certificate2() causing System.Security.Cryptography.CryptographicException: Access denied
- Configuring IIS Client Certificate Mapping Authentication
- ASP.NET MVC: “An internal error occurred.” when loading certificate bytes with X509Certificate2
- X509Certificate2: Internal error