send X509 certificate to an Xmlrpc service under IIS7

Discussion in 'ASP .Net Security' started by Balint Kardos, Aug 24, 2009.

  1. Hi,

    I have to call a remote Xmlrpc gateway, which requires me to send a
    previously generated certificate (stored in a .der file).
    If I do it in Visual Studio 2008 with my user account (Balint), VS's built
    in WebServer can read out the certificate's path and CA's root cert from
    CURRENT_USER\Trusted Root, and works fine.

    If I try to install the application on IIS7, it fails with "The request was
    aborted: Could not create SSL/TLS secure channel".

    1) If I understand well, IIS7's W3WP/SVCHOST processes are running under the
    NETWORK account.
    I've tried to add the certificates to NETWORK's CURRENT_USER\Personal, and
    CURRENT_USER\Trusted Root store, but it still not working.

    2) I tried <impersonate> in the web.config for my user account, but it's
    still not working.

    3) I've imported the certs to LOCAL_MACHINE\Trusted Root, no luck.

    4) I thought the certificate is bad, or the path is wrongly built, and tried
    to use it on a local SSL website:
    It's okay, IIS can read out the key from LOCAL_MACHINE\Trusted Root\, so the
    https://localhost/ site is working well with these certs, however I don't
    want to use it for anything :)


    What am I missing here?
    From C# code, how can I build a "path" for my certificate, which would
    include the CA's root certificate too?


    Thanks,

    Balint
     
    Balint Kardos, Aug 24, 2009
    #1
    1. Advertising

  2. Balint Kardos

    Joe Kaplan Guest

    If this is normal SSL client certificate authentication (which it sounds
    like it is), you need to ensure that the remote machine you are deploying to
    has the private key for the certificate as well and the process running your
    service has read access on the private key once it is installed.

    To do this, you need to export the certificate as a p12/pfx file, import it
    to the remote machine (into the local machine store, not the current user
    store) and set the permissions on the private key so that your service
    account has read access (unless you are running as System which hopefully
    you are not).

    HTH!

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Balint Kardos" <> wrote in message
    news:...
    > Hi,
    >
    > I have to call a remote Xmlrpc gateway, which requires me to send a
    > previously generated certificate (stored in a .der file).
    > If I do it in Visual Studio 2008 with my user account (Balint), VS's built
    > in WebServer can read out the certificate's path and CA's root cert from
    > CURRENT_USER\Trusted Root, and works fine.
    >
    > If I try to install the application on IIS7, it fails with "The request
    > was aborted: Could not create SSL/TLS secure channel".
    >
    > 1) If I understand well, IIS7's W3WP/SVCHOST processes are running under
    > the NETWORK account.
    > I've tried to add the certificates to NETWORK's CURRENT_USER\Personal, and
    > CURRENT_USER\Trusted Root store, but it still not working.
    >
    > 2) I tried <impersonate> in the web.config for my user account, but it's
    > still not working.
    >
    > 3) I've imported the certs to LOCAL_MACHINE\Trusted Root, no luck.
    >
    > 4) I thought the certificate is bad, or the path is wrongly built, and
    > tried to use it on a local SSL website:
    > It's okay, IIS can read out the key from LOCAL_MACHINE\Trusted Root\, so
    > the https://localhost/ site is working well with these certs, however I
    > don't want to use it for anything :)
    >
    >
    > What am I missing here?
    > From C# code, how can I build a "path" for my certificate, which would
    > include the CA's root certificate too?
    >
    >
    > Thanks,
    >
    > Balint
     
    Joe Kaplan, Aug 24, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    575
  2. Jesus Suarez

    PROBLEM CERTIFICATE X509

    Jesus Suarez, Aug 27, 2007, in forum: ASP .Net
    Replies:
    0
    Views:
    507
    Jesus Suarez
    Aug 27, 2007
  3. Replies:
    1
    Views:
    238
    Dominick Baier
    Sep 13, 2006
  4. Keyset does not exist X509Certificate

    Keyset does not exist at Microsoft.Web.Services.Security.X509.X509

    Keyset does not exist X509Certificate, Jun 12, 2004, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    224
    Keyset does not exist X509Certificate
    Jun 12, 2004
  5. Jens Rügge

    Webservice, SSL, X509 certificate

    Jens Rügge, Dec 8, 2004, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    155
    Jens Rügge
    Dec 8, 2004
Loading...

Share This Page