Re: send X509 certificate to an Xmlrpc service under IIS7

If this is normal SSL client certificate authentication (which it sounds like it is), you need to ensure that the remote machine you are deploying to has the private key for the certificate as well and the process running your service has read access on the private key once it is installed.

To do this, you need to export the certificate as a p12/pfx file, import it to the remote machine (into the local machine store, not the current user store) and set the permissions on the private key so that your service account has read access (unless you are running as System which hopefully you are not).


Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
"Balint Kardos" <balint@xxxxxxxxx> wrote in message news:38117ACF-00CE-4C2F-8071-308FF8C304C9@xxxxxxxxxxxxxxxx

I have to call a remote Xmlrpc gateway, which requires me to send a previously generated certificate (stored in a .der file).
If I do it in Visual Studio 2008 with my user account (Balint), VS's built in WebServer can read out the certificate's path and CA's root cert from CURRENT_USER\Trusted Root, and works fine.

If I try to install the application on IIS7, it fails with "The request was aborted: Could not create SSL/TLS secure channel".

1) If I understand well, IIS7's W3WP/SVCHOST processes are running under the NETWORK account.
I've tried to add the certificates to NETWORK's CURRENT_USER\Personal, and CURRENT_USER\Trusted Root store, but it still not working.

2) I tried <impersonate> in the web.config for my user account, but it's still not working.

3) I've imported the certs to LOCAL_MACHINE\Trusted Root, no luck.

4) I thought the certificate is bad, or the path is wrongly built, and tried to use it on a local SSL website:
It's okay, IIS can read out the key from LOCAL_MACHINE\Trusted Root\, so the https://localhost/ site is working well with these certs, however I don't want to use it for anything :)

What am I missing here?
From C# code, how can I build a "path" for my certificate, which would include the CA's root certificate too?




Relevant Pages

  • Re: Signtool doesnt add entire chain when signing files
    ... you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. ... The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate. ... Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode. ...
  • Error
    ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
  • Certutil error
    ... After I ran cmd as an administrator it published the CRL and CRT file in the AD without error. ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
  • Re: Schannel CertificateChainValidation failing
    ... I am not fully up to speed with certs (root, end entity, ... valid Windows trusted root cert. ... You've enabled certificate revocation checking, and the validation code ...
  • Re: Certificate chain issue with Ent Sub Ca & stand alone Root CA
    ... certificate and I get a "Cannot verify certificate chain. ... revocation because the revocation server was offline. ... the root ca? ... Online>>> Online Enterprise Subordinate CA ...