Certificate blues


Currently I am trying to figure out how we can implement the OIOSI/RASP Framework (OIO Service oriented Infrastructure/Reliable Asynchronous Secure Profile)

The framework supports reliable, secure E-Business using open standards. Including components for web service calls, non-repudiation, UDDI-registries and a standardized subset of the UBL 2.0 business document profile. Supported for .Net and java.

Among other things I need to install various certificates for use with services such as eg IIS to handle encrypted messages and this have given me some headaches as I haven't used them much until now
Obviously the documentation is takes the wrong path and not very well written, haven't we seen that one before once or twice

Googling around gave me some pieces of advice but not the full picture, by pure luck I found a topic at stackoverflow.com and some comments by Željko Tanovic and I managed to solve but also understand the problem

The problem

I had two errors "key does not exist" because IIS couldn't find the private key file and "invalid handle" caused by missing user privileges

First mistake being misled by the documentation was to install in the personal store and move the certificate to the localmachine store, the private key was installed in the current user folder and inaccessible by the IIS service accounts
Second was missing user privileges and straight forward to fix as soon as the first problem was solved

While troubleshooting you can use FindPrivateKey to get current location of the private key file. FindPrivateKey is part of the Windows Communication Foundation (WCF) and Windows Workflow Foundation (WF) Samples for .NET Framework 4

You can add root LocalMachine -t "db e0 d9 a8 1f 2c a2 ed 05 c7 55 81 64 68 a6 72 fb 44 e4 0a" to the debug project property tab and the console in the debugger to the path you need
Please note, the documentation gives you also an extra -c at the end, but this additional parameter causes an if statement to fail and nothing is found

Folder for private keys when the ceritificate is imported in the personal store
C:\Documents and Settings\<user>\Application Data\Microsoft\Crypto\RSA

Folder for private keys when the ceritificate is imported to localmachine store
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

Solution: Import certificates

Steps when importing certificates which is used by services such as eg IIS

  • Import certificate to the localmachine store (root / Trusted Root Certificate Authorities)
  • Check that the private key file is stored in the MachineKeys folder by using the FindPrivateKey tool
  • Set apprioprate user privileges for your service accounts, eg ASPNET and user account running the Application Pool

Problem solved - Well at least I can see my webservice page in IE Cool

Update! Instead of all the hazzle setting the access rights manually you can also use the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe)

Command line:

C:\Program Files (x86)\Windows Resource Kits\Tools>winhttpcertcfg 
             -g -c LOCAL_MACHINE\My -s MyWebSite -a DefaultAppPool