CODEWITHSUNDEEP
.netwcfx509certificate
rauts
rauts

Reputation: 1018

X509Certificate private key issue when running a process in Adminstrator mode

I am calling a WCF service which requires a client certificate for authentication, from a console application. When i run the console application in debug mode in Visual Studio 2010 running as adminstrator, the application is not able to present the X509 certificate installed on my machine as client certificate BUT when the same program is running in Visual studio (NOT running as Adminstrator), the application works fine and i am able to present the client certificate to WCF service and WCF service returns data as well.

The Client and server certificates are both issue by my company's internal CA. I am running on Windows 7 and I am using .Net 4.0.

I am facing same issue when i have a Visual Studio Add-in calling the same WCF service with Mutual SSL. When my VS is runing under Admin mode, the WCF service call fails but otherwise it works fine.

When i look at the VS process in the task manager, in both the case (in admin and non admin), it shows the process user as my ID, so i am not confused as this cannot be any certificate access issue.

Any tip or help would be very helpful. Code Snippet:

 private static void MutualSslServiceCall()
    {

        var testClient = new LocalService.Service1Client("MutualSsl");
        testClient.ClientCredentials.ClientCertificate.Certificate = GetClientCertificate();

        var response = testClient.GetData(3232);
        Console.WriteLine("Done, Resposne = {0}", response);
        Console.ReadLine();
    }


    // gets the certificate from the workstation certificate store.
    private static X509Certificate2 GetClientCertificate()
    {
        X509Certificate2 certificate = null;
        var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
        try
        {
            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly| );
            // Nothing to do if no cert found.
            if (store.Certificates != null && store.Certificates.Count > 0)
            {
                if (store.Certificates.Count == 1)
                {
                    // Return the certificate present.
                    certificate = store.Certificates[0];
                }
                else
                {
                    // Request the user to select a certificate
                    var certificates = X509Certificate2UI.SelectFromCollection(store.Certificates, "Digital Certificates", "Select a certificate from the following list:", X509SelectionFlag.SingleSelection);
                    // Check if one has been returned
                    if (certificates != null && certificates.Count > 0)
                    {
                        
                        certificate = certificates[0];
                        
                        
                        
                    }
                }
            }
        }
        finally
        {
            store.Close();
        }
        return certificate;
    }

Error: {"Could not establish secure channel for SSL/TLS with authority XXXX."}

InnerException: {"The request was aborted: Could not create SSL/TLS secure channel."}

Upvotes: 0

Views: 2327

Answers (2)

Steven Ge
Steven Ge

Reputation: 1

Thanks qqbenq point to the key problem. As qqbenq suggested, your account doesn't have permission to access certificate private key.

Here is a solution on Powershell:

$thumbprint = 'Your_Cert_Thumprint'
$WorkingCert = Get-ChildItem CERT:\LocalMachine\My\$thumbprint
$rsaFile = $WorkingCert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName

$keyPath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"
$rsaPath = join-path $keyPath $rsaFile
$acl = Get-Acl -Path $rsaPath
$permission = "Authenticated Users","Read","Allow"
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$acl.AddAccessRule($accessRule)
Set-Acl $rsaPath $acl

Upvotes: 0

qqbenq
qqbenq

Reputation: 10460

I faced a very similar problem, but in my case it was the other way around: when running as administrator everything worked fine, in other cases there was a problem retrieving the private key of the certificate (which resulted in the same error: "Could not establish secure channel for SSL/TLS with authority XXXX.").

The solution was the following: When installing the certificate on the system I had to allow the export of the certificate (and thus the private key of the certificate). In this way, not only the account who installed the certificate was able to use it for authentication but all others too (of course only the ones who have access to the specific certificate store and the file which stores the private key.)

More information about giving access to private key file here.

Upvotes: 3

Related Questions