Re: Accessing certificate store from ASP.NET web project

On May 10, 3:42 pm, Dominick Baier
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I wrote a little tool - this lets you choose the right cert (in you case
the cert must be in the local computer/personal) store - it will then open
the security dialog for the corresponding private key.

Have a look at the source code to open the right cert store...

If this does not work you have to provide us a little more info (exception

Dominick Baier (

Developing More Secure Microsoft ASP.NET 2.0 Applications (

I've ran into a sticky situation. I currently have a ASP.NET
web project, this project uses webservices to receive XML from various
locations. One of the locations requires a x509 certificate in order
for it to work properly. All was good until they sent us a new
certificate two weeks ago. Now using the export *.cer method I can no
longer hit there webservice. They tell me that anything thats going
wrong is on my end. After much playing around with it, I decided to
try the CryptoAPI way instead, which would be just to hit the actual
certificate store and gather all the certs in a collection and pull
the one that i need directly from it and apply it to the
httpwebrequest object. I wrote up a small C# console app, this app is
very basic its just going to the store gathering the certs then
applying the cert to a webrequest object then hitting the URL. As a
console app this works just fine. I adjusted my console app to become
a compiled DLL. I then add a reference to my VB project of that DLL.
But now I cannot grab any certificates from any store. I believe this
has to do with the fact that the console app is running under a
different user context than my web project. My question would
be how can get my ASP.NET web project to actually have access to the
certificate store? I've followed along on
this page numerous times giving permission to the ASPNET/
NetworkService/Administrator users to that particular certificate.
but nothing will access it. Its currently residing on both my
certificates of my local user as well as the certificates of my local
computer. Is there anyway to get this to work properly? The code
that is being based off of is from the microsoft page that explains
the two ways to access the certificate. The *.cer way and the
CryptoAPI way. Any information would be greatly appreciated.

This is all an automated processes, and i can't have people selecting
certificates everytime they run this. Are you telling me theres no
way to setup access to the cert stores for an ASPNET/NetworkService
account? I'm not getting any exceptions the problem is that

storeHandle = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0,

IntPtr currentCertContext;
currentCertContext = CertEnumCertificatesInStore(storeHandle,

These two lines don't return the IntPtr handles that they do when
running it as a console app. The OPEN will return a handle when its
not ....LOCAL_MACHINE constant. but then the
CertEnumCertificatesInStore will always return 0 when running from the
ASP.NET web project. Since returning zero my loop to gather the
individual certs fails since it has no intptr to an actual value. Is
there anyway to get those two functions to properly work in the
context of an ASPNET web project written in VB using a C# DLL added as
a reference. Does this make any sense to you or anyone out there? Is
there any work around which would allow this to all occur in the
background with no user interaction. Any more information would be

Not only will this not work, but I'm still curious as to why doing
what I originally did with this webservice.... inserting them into the
stores... then using the WinHttpCertCfg.exe to apply access to the
NetworkService / ASPNET users. Then exporting it and attaching the
exported file to a httpwebrequest object... That was simple as pie to
originally setup but now that doesn't work which is the reason i've
moved to the CryptoAPI way. The client said they added an additional
certificate authority when they sent me the new certificate. I for
some reason believe that has something to do with this not working the
original way anymore. Any information about this would also be
greatly appreciated.