User account has no access to private key of Client certificate

Question

I have a scenario where I am using certificate in my code to trigger an action. After importing certificate to my local machine and running c# code, it throws private key access issue with error 'User account has no access to private key of Client certificate'. Any pointer which can resolve the issue or can make me debug through the issue?

What I did: Run - certlm.msc Personal - certificates - all tasks - import - Local machine - browse my .cer file

What I tried to resolve(but can not resolve): Run - certlm.msc Personal - certificates - My certificate - right click - all tasks - manage private key - add "Network Service" with full control. I tried to add my mail id or username but it did not allow to add.

Error: System.InvalidOperationException: 'User account has no access to private key of Client certificate'

Config:

<system.serviceModel>
        <behaviors>
            <endpointBehaviors>
                <behavior name="ClientBehavior">
                    <clientCredentials>
                        <clientCertificate findValue="xxxx-correct thumbprint-xxxxxxx" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />  
                    </clientCredentials>
                </behavior>
            </endpointBehaviors>
        </behaviors>
</system.serviceModel>

Answer 1

There may be several options for why the problem occurs.

You can try:

Add the user account to the local machine's certificate store. To add user account to local machine certificate store, You use command: certutil -user -addstore "My" "C:\Users\username\Documents\certificates\client.pfx"

Import the certificate, you can use the following command: certutil -user -importpfx "C:\Users\username\Downloads\cert.pfx"

Add the user account to the certificate's private key access control list (ACL). You can do this by running the following command in an elevated command prompt: certutil -user -setreg . For example, if your certificate's thumbprint is 1234567890ABCDEF and your user account is MyUser , you would run the following command: certutil -user -setreg 1234567890ABCDEF MyUser .

You can find the thumbprint of your certificate by running the following command in an elevated command prompt, in this command the Thumbprint is called the "Cert Hash": certutil -store my .

You can find the user account by running the following command in an elevated command prompt: whoami /user .

And finally can try use code to import certificate to local machine. Example:

public static void ImportCertificate(string certificatePath)
{
    X509Certificate2 certificate = new X509Certificate2(certificatePath);
    X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadWrite);
    store.Add(certificate);
    store.Close();
} 

Please let me know if any option worked.

Answer 2

After weeks of struggle, I am able to find the resolution for the issue. I am running visual studio as administrator but after few trails, I tried running visual studio as a specific user(shift + right click on visual studio short cut), entered my credentials and opened visual studio. The issue is resolved by opening visual studio as a specific user with my credentials.

Answer 3

How to Grant permission to user on Certificate private key using powershell?

This is also a good way to do it, pretty much wrapped up in PowerShell.

Answer 4

I think you were in the right location when you added the permissions for network service, however as your application is probably not running as network service while debugging you'll need to add your current account with permissions as well.

to figure out what you username is you can use whoami in a cmd window. alternatively in the window where you entered NETWORK SERVICE to give it more permissions there should be an Advanced ... button that will let you search the computer or domain for accounts, if you put in no search value it will give you all accounts, here you can then select your user account and give it full control.