WCF WebService cannot get PrivateKey from certificate

Question

I already created a WCF Service that is hosted in IIS, I've created an CA makecert and one certificate for autenticating the service using HTTPS. With this certificate I have make work it. Now I'm trying to use the Message Security in the service.

In the web.configI have the next code:

<serviceCredentials>
        <serviceCertificate findValue="192.168.1.230" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
        <clientCertificate>
          <authentication certificateValidationMode="ChainTrust" />
        </clientCertificate>
      </serviceCredentials>

When I try to view the Web Service through an explorer like Chrome, I'm receiving the next error System.Security.Cryptography.CryptographicException: KeySet does not exists. I check the inner exception and this is what I see

[CryptographicException: El conjunto de claves no existe]
   System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +5368074
   System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +138
   System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +221
   System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() +516
   System.ServiceModel.Security.SecurityUtils.GetKeyContainerInfo(X509Certificate2 certificate) +45
   System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +76

[ArgumentException: Puede que el certificado 'CN=192.168.1.230' no tenga un clave privada capaz de intercambiar claves, o que el proceso no tenga permisos de acceso a la clave privada. Vea la excepción interna para obtener información detallada.]
   System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +16947147
   System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +190
   System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement) +50
   System.ServiceModel.Security.AsymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout) +930
   System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +740
   System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +79
   System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout) +397
   System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +740
   System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +375
   System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +740
   System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +249
   System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +740
   System.ServiceModel.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity) +125
   System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity) +901

[ServiceActivationException: El servicio '/WebFrontITAS.svc' no se puede activar debido a una excepción durante la compilación. El mensaje de la excepción es: Puede que el certificado 'CN=192.168.1.230' no tenga un clave privada capaz de intercambiar claves, o que el proceso no tenga permisos de acceso a la clave privada. Vea la excepción interna para obtener información detallada..]
   System.Runtime.AsyncResult.End(IAsyncResult result) +622882
   System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +196075
   System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +282

I googled a lot about this, but I have not found anything usefull. When I try to get the private key using FindPrivateKey.exe it fails and give me the next error No certificates with key '192.168.1.230' found in the store.

I'm not sure if the problem is with the cert or with the configuration of WCF.

Answer 1

Besides changing the user another way to solve this issue is give the App Pool the WCF service is running under permissions to read the private key.

Open the certificate store for your system and find your certificate, from there choose Manage Private Keys

Inside the security setting add the app pool your WCF service is running under by adding the name IIS AppPool\App_Pool_Name_Here (if you are on a domain be sure the location is set to the computer not the domain)

Then check the box for Read permissions and your app should start being able to read your certificate.

NOTE: I have encountered a bug where depending on how you imported your certificate the program will still not work correctly, I have found this usually happens if you used IIS to import the certificate. If you remove the certificate and re-add it from inside the Certificates manager using the wizard built in to the manager it will often fix the issue.

Answer 2

I already solved this issue, the problem was the autentication of the AppPool of IIS, It was using a network credential that does not have permission to access the cert store, When I change the Autentification to a LocalUser, the problem was solved.