Incorrectly installed certificate background
We had installed our client certificate by Right Clicking and selecting “Install” within windows explorer and then were unable to use it correctly or set effective permissions. After some research it turns out that doing this means that the physical file location where the certificate is installed is:
C:\Users\Username\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1516947530-858353465-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
i.e. a specific user account. No amount of adding permissions using any known method allowed the certificate permissions to be used even after applied. For reference, the failed methods used were as follows:
C:\Users\Username\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1516947530-858353465-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
i.e. a specific user account. No amount of adding permissions using any known method allowed the certificate permissions to be used even after applied. For reference, the failed methods used were as follows:
- icacls.exe - http://stackoverflow.com/questions/1271497/asp-net-permissions-to-root-certificate-store (inc. FindPrivateKey download, build and run to find physical file location) – in the end this was used to set permissions for “IIS AppPool\AppWebService”
- WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "IssuedToName" -a "NetworkService" (In the end this one was used to set permissions for “NetWorkService” since the icacls didn’t seem to work
- Copying the Certificate into the “LocalMachine\Personal” store, thus allowing the GUI to enable setting of permissions via right clicking on the cert. selecting “All Tasks” and “Manage Private Keys” – In the end this method wasn't used at all.
The correct way to install and configure the client certificate
For the permission changes to be effective,
the certificate could not be located in the folder shown above. To remedy this, I performed the following
steps for my client certificate:
I. I found the physical location and filename of the certificate within the file system using the FindPrivateKey app (above)
II. Deleted the certificate from it’s store using the cert MMC snap-in and clicking on the cert and pressing delete.
III. Deleted the physical certificate file as found in step (I.) above. i.e. Deleted it from Windows Explorer window.
IV. Re-installed the certificate but instead of doing this as described in (1.) above, the following steps were taken:
V. The certificate’s physical file location should now be within the directory “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\” and this can be verified by using the FindPrivateKey app.
VI. Once we are confident that our certificate is both, in the correct store location and in the correct physical file location then we can apply the appropriate permissions to it, as follows …
VII. Use the icacls.exe CMD app to set the permissions for the virtual account “IIS YourAppPoolName” as follows,
C:\Users\Username>icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a47dbd53283exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /grant:R "IIS AppPool\AppWebService":f processed file: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a47dbd53283e3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Successfully processed 1 files; Failed processing 0 files
VIII. Use the WinHttpCertCfg.exe app (you will need to install this free MS Tool) to set the permission for the “NetworkService” account
C:\Program Files (x86)\Windows Resource Kits\Tools>WinHttpCertCfg -g -c Local_Machine\Root -s "MyCN" -a "Network Service" Microsoft (R) WinHTTP Certificate Configuration Tool
Copyright (C) Microsoft Corporation 2001.
Matching certificate:
E=address@example.com
OU=My OU
O=MyOrganisationName
L=MyLocation
S=MyState
C=MyCountry
G=G
SN=MyS
CN=MyCN
Granting private key access for account:
NT AUTHORITY\NETWORK SERVICE
IX. Ensure that the Application Pool servicing the Web App is set to the same virtual account that we set the permisions for above (i.e. in our case “IIS AppPool\AppWebService” which manifests within IIS simply as “AppWebService” )
X. You may need to restart the appropriate App Pool or run an IISRESET.
XI. The certificate should now be ready to use
I. I found the physical location and filename of the certificate within the file system using the FindPrivateKey app (above)
II. Deleted the certificate from it’s store using the cert MMC snap-in and clicking on the cert and pressing delete.
III. Deleted the physical certificate file as found in step (I.) above. i.e. Deleted it from Windows Explorer window.
IV. Re-installed the certificate but instead of doing this as described in (1.) above, the following steps were taken:
- Open the LocalMachine certificate store from the MMC snap-in
- Right click on “Trusted Root Certification Authorities” and select “All Tasks” then “Import”.
- Browse the location of the PFX certificate file (Note: it has to be PFX and not .CER or any other certificate type)
- Select next after ensuring that the settings are selected as shown below.
- Click next and then finish
V. The certificate’s physical file location should now be within the directory “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\” and this can be verified by using the FindPrivateKey app.
VI. Once we are confident that our certificate is both, in the correct store location and in the correct physical file location then we can apply the appropriate permissions to it, as follows …
VII. Use the icacls.exe CMD app to set the permissions for the virtual account “IIS YourAppPoolName” as follows,
C:\Users\Username>icacls "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a47dbd53283exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" /grant:R "IIS AppPool\AppWebService":f processed file: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\8a47dbd53283e3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Successfully processed 1 files; Failed processing 0 files
VIII. Use the WinHttpCertCfg.exe app (you will need to install this free MS Tool) to set the permission for the “NetworkService” account
C:\Program Files (x86)\Windows Resource Kits\Tools>WinHttpCertCfg -g -c Local_Machine\Root -s "MyCN" -a "Network Service" Microsoft (R) WinHTTP Certificate Configuration Tool
Copyright (C) Microsoft Corporation 2001.
Matching certificate:
E=address@example.com
OU=My OU
O=MyOrganisationName
L=MyLocation
S=MyState
C=MyCountry
G=G
SN=MyS
CN=MyCN
Granting private key access for account:
NT AUTHORITY\NETWORK SERVICE
IX. Ensure that the Application Pool servicing the Web App is set to the same virtual account that we set the permisions for above (i.e. in our case “IIS AppPool\AppWebService” which manifests within IIS simply as “AppWebService” )
X. You may need to restart the appropriate App Pool or run an IISRESET.
XI. The certificate should now be ready to use
Helpful URLs:
http://skybooks.ru/appdg.shtml - The Logon Locally logon right is required
for all accounts.
http://adminramble.com/map-client-certificates-iis-7-graphical-user-interface/
- client certificate mapping iis add in
