How to set read permission on the private key file of X.509 certificate from .NET
To do it programmatically, you have to do three things:
Get the path of the private key folder.
Get the file name of the private key within that folder.
Add the permission to that file.
See this post for some example code that does all three (specifically look at the "AddAccessToCertificate" method).
(NET6+) Grant user read permission on certificate's private key
I had some luck with this:
// input: "X509Certificate2 cert"
RSACng rsa = cert.GetRSAPrivateKey() as RSACng;
string rsaKeyName = rsa.Key.UniqueName;
if (rsaKeyName == null)
{
RSACryptoServiceProvider rsaCSP = cert.GetRSAPrivateKey() as RSACryptoServiceProvider;
rsaKeyName = rsaCSP.CspKeyContainerInfo.KeyContainerName;
}
Reading an X.509 Certificate2 PrivateKey
You need to grant that account the "Manage auditing and security log rights". See http://support.microsoft.com/kb/2000257/en-US for more information. That is quite strange for a certificate operation, though.
How to view permissions for RSA Key Container may be relevant here, since it discusses requiring the same privilege to access a private key.
The account may have the privilege but it may need to be enabled. See C# Random Exception when Getting / Setting Registry ACL "SeSecurityPrivilege" for sample code.
Error setting X509Certificate2 PrivateKey
As LexLi said, setting the private key on an existing certificate is not possible by design in .net core.
Following what is described here, what you can do is use the method RSACertificateExtensions.CopyWithPrivateKey.
Instead of
x509certificate.PrivateKey = DotNetUtilities.ToRSA(rsaParams);
you could have
var rsa = DotNetUtilities.ToRSA(rsaParams);
var cert = x509certificate.CopyWithPrivateKey(rsa);
return cert;
To get access to the "CopyWithPrivateKey" extension method, add this using :
using System.Security.Cryptography.X509Certificates; /* for getting access to extension methods in RSACertificateExtensions */
"(CopyWithPrivateKey) Combines a private key with the public key of an RSA certificate to
generate a new RSA certificate."
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.rsacertificateextensions.copywithprivatekey?view=netcore-3.0
How to give ASP.NET access to a private key in a certificate in the certificate store?
- Create / Purchase certificate. Make sure it has a private key.
- Import the certificate into the "Local Computer" account. Best to use Certificates MMC. Make sure to check "Allow private key to be exported"
Based upon which, IIS 7.5 Application Pool's identity use one of the following.
- IIS 7.5 Website is running under ApplicationPoolIdentity. Open MMC => Add Certificates (Local computer) snap-in => Certificates (Local Computer) => Personal => Certificates => Right click the certificate of interest => All tasks => Manage private key => Add
IIS AppPool\AppPoolName
and grant itFull control
. Replace "AppPoolName" with the name of your application pool (sometimesIIS_IUSRS
) - IIS 7.5 Website is running under NETWORK SERVICE. Using Certificates MMC, added "NETWORK SERVICE" to Full Trust on certificate in "Local Computer\Personal".
- IIS 7.5 Website is running under "MyIISUser" local computer user account. Using Certificates MMC, added "MyIISUser" (a new local computer user account) to Full Trust on certificate in "Local Computer\Personal".
- IIS 7.5 Website is running under ApplicationPoolIdentity. Open MMC => Add Certificates (Local computer) snap-in => Certificates (Local Computer) => Personal => Certificates => Right click the certificate of interest => All tasks => Manage private key => Add
Update based upon @Phil Hale comment:
Beware, if you're on a domain, your domain will be selected by default in the 'from location box'. Make sure to change that to "Local Computer". Change the location to "Local Computer" to view the app pool identities.
Related Topics
Count Number of Mondays in a Given Date Range
How Should You Diagnose the Error Sehexception - External Component Has Thrown an Exception
Wpf/Mvvm - How to Handle Double-Click on Treeviewitems in the Viewmodel
Breakpoint Failed to Bind - Visual Studio 2015
Where Are the Controllercontext and Viewengines Properties in MVC 6 Controller
How to Programmatically Select an Item in a Wpf Treeview
Passing Command Line Parameters with Visual Studio C#
"The Semaphore Timeout Period Has Expired" Error for Usb Connection
Mapping Database Views to Ef 5.0 Code First W/Migrations
How to Set Read Permission on the Private Key File of X.509 Certificate from .Net
Correlation of Two Arrays in C#