How to Set Read Permission on the Private Key File of X.509 Certificate from .Net

How to set read permission on the private key file of X.509 certificate from .NET

To do it programmatically, you have to do three things:

1. Get the path of the private key folder.

2. Get the file name of the private key within that folder.

3. Add the permission to that file.

See this post for some example code that does all three (specifically look at the "AddAccessToCertificate" method).

(NET6+) Grant user read permission on certificate's private key

I had some luck with this:

// input: "X509Certificate2 cert"
RSACng rsa = cert.GetRSAPrivateKey() as RSACng;
string rsaKeyName = rsa.Key.UniqueName;
if (rsaKeyName == null)
{
    RSACryptoServiceProvider rsaCSP = cert.GetRSAPrivateKey() as RSACryptoServiceProvider;
    rsaKeyName = rsaCSP.CspKeyContainerInfo.KeyContainerName;
}

Reading an X.509 Certificate2 PrivateKey

You need to grant that account the "Manage auditing and security log rights". See http://support.microsoft.com/kb/2000257/en-US for more information. That is quite strange for a certificate operation, though.

How to view permissions for RSA Key Container may be relevant here, since it discusses requiring the same privilege to access a private key.

The account may have the privilege but it may need to be enabled. See C# Random Exception when Getting / Setting Registry ACL "SeSecurityPrivilege" for sample code.

Error setting X509Certificate2 PrivateKey

As LexLi said, setting the private key on an existing certificate is not possible by design in .net core.

Following what is described here, what you can do is use the method RSACertificateExtensions.CopyWithPrivateKey.

Instead of

x509certificate.PrivateKey = DotNetUtilities.ToRSA(rsaParams);

you could have

var rsa = DotNetUtilities.ToRSA(rsaParams);
var cert = x509certificate.CopyWithPrivateKey(rsa);
return cert;

To get access to the "CopyWithPrivateKey" extension method, add this using :

using System.Security.Cryptography.X509Certificates; /* for getting access to extension methods in RSACertificateExtensions */

"(CopyWithPrivateKey) Combines a private key with the public key of an RSA certificate to
generate a new RSA certificate."

https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.rsacertificateextensions.copywithprivatekey?view=netcore-3.0

How to give ASP.NET access to a private key in a certificate in the certificate store?

1. Create / Purchase certificate. Make sure it has a private key.
2. Import the certificate into the "Local Computer" account. Best to use Certificates MMC. Make sure to check "Allow private key to be exported"

3. Based upon which, IIS 7.5 Application Pool's identity use one of the following.

   • IIS 7.5 Website is running under ApplicationPoolIdentity. Open MMC => Add Certificates (Local computer) snap-in => Certificates (Local Computer) => Personal => Certificates => Right click the certificate of interest => All tasks => Manage private key => Add IIS AppPool\AppPoolName and grant it Full control. Replace "AppPoolName" with the name of your application pool (sometimes IIS_IUSRS)
   • IIS 7.5 Website is running under NETWORK SERVICE. Using Certificates MMC, added "NETWORK SERVICE" to Full Trust on certificate in "Local Computer\Personal".
   • IIS 7.5 Website is running under "MyIISUser" local computer user account. Using Certificates MMC, added "MyIISUser" (a new local computer user account) to Full Trust on certificate in "Local Computer\Personal".

Update based upon @Phil Hale comment:

Beware, if you're on a domain, your domain will be selected by default in the 'from location box'. Make sure to change that to "Local Computer". Change the location to "Local Computer" to view the app pool identities.

---

Related Topics