Can an X509Certificate be fetched from the certificates store by ASP.NET without file-system permissions?
https://stackoverflow.com//questions/20007824
-
20-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Where should a certificate that appears in the Trusted Root Certification Authorities node in certmgr.msc be kept so that an IIS web app can obtain it and sign a SAML Assertion with it? Is there a way to extract the certificate from the certificates "hive" directly, that does not require file-system permissions? Or is it necessary to export the certificate to a folder to which the IIS7 built-in user has access permissions?
The X509Certificate2.Import() method's first parameter is fileName.
If I export the Certificate and put the file in my Visual Studio 2012 Project folders hierarchy and provide a fully qualified path to the Import() method, the cert import succeeds, but only if the application is running in Visual Studio's built-in server, not if it's running in the Local IIS Web Server.
I've tried using the Friendly Name with X509KeyStorageFlags.MachineKeySet but that did not work.
EDIT: This works when using the built-in Visual Studio server but not the LOCAL IIS7 Server in Windows 7:
certStore = New X509Store(StoreLocation.CurrentUser)
certStore.Open(OpenFlags.ReadOnly)
Dim thumbprint As String
thumbprint = ConfigurationManager.AppSettings("thumb").ToString
certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, False)
certStore.Close()
cert = certCollection(0)
so I need to find out how to give the Default App Pool access to this certificate in Windows 7.
Solution
You don't "import", just create an instance. Formally, you open a key store and loop through certificates. And yes, you don't need any filesystem permission, however, to access the private key, your application pool identity has to have permission to the key, you set the permission in the certificate snapin of the mmc console.
Edit: the code to access the certificate would be something like:
var store = new X509Store( name, location );
store.Open( OpenFlags.ReadOnly );
foreach ( var cert in store.Certificates )
... loop and match, by thumbprint, friendly name or whatever else
