Re: send X509 certificate to an Xmlrpc service under IIS7

If this is normal SSL client certificate authentication (which it sounds like it is), you need to ensure that the remote machine you are deploying to has the private key for the certificate as well and the process running your service has read access on the private key once it is installed.

To do this, you need to export the certificate as a p12/pfx file, import it to the remote machine (into the local machine store, not the current user store) and set the permissions on the private key so that your service account has read access (unless you are running as System which hopefully you are not).


Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
"Balint Kardos" <balint@xxxxxxxxx> wrote in message news:38117ACF-00CE-4C2F-8071-308FF8C304C9@xxxxxxxxxxxxxxxx

I have to call a remote Xmlrpc gateway, which requires me to send a previously generated certificate (stored in a .der file).
If I do it in Visual Studio 2008 with my user account (Balint), VS's built in WebServer can read out the certificate's path and CA's root cert from CURRENT_USER\Trusted Root, and works fine.

If I try to install the application on IIS7, it fails with "The request was aborted: Could not create SSL/TLS secure channel".

1) If I understand well, IIS7's W3WP/SVCHOST processes are running under the NETWORK account.
I've tried to add the certificates to NETWORK's CURRENT_USER\Personal, and CURRENT_USER\Trusted Root store, but it still not working.

2) I tried <impersonate> in the web.config for my user account, but it's still not working.

3) I've imported the certs to LOCAL_MACHINE\Trusted Root, no luck.

4) I thought the certificate is bad, or the path is wrongly built, and tried to use it on a local SSL website:
It's okay, IIS can read out the key from LOCAL_MACHINE\Trusted Root\, so the https://localhost/ site is working well with these certs, however I don't want to use it for anything :)

What am I missing here?
From C# code, how can I build a "path" for my certificate, which would include the CA's root certificate too?