X509Certificate Store access issue


We created numerous X509Certificate2's on our application server using a an ASP.NET C# website. When calling any functionality via the website that uses these certificates, the process executes just fine - finding the appopriate certificates from the store.

BUT, when we run a Service that we created, that calls the same code that the website called, the process fails as it doesn't find any certificates in the Store.

When we add the certificates to the store via the website, we use the code:
X509Store storeCurrentUser = new X509Store(StoreName.My, StoreLocation.CurrentUser);

Now, after a bit of digging, it seems that in order for the Service to be able to access the certificates, they need to be obtained from the StoreLocation.LocalMachine store (I could be wrong here - so please correct me if I am)

Then, from what I understand, the website should search the StoreLocation.CurrentUser store for certificates, whereas the application Service should access the StoreLocation.LocalMachine store.    

The problem is, that via the website, I can only add certificates to the StoreLocation.CurrentUser store. If I try add to the StoreLocation.LocalMachine store, I get an "access denied" error.

What do I need to do to install certificates that will be accessible via a function called via the web application AND the same function called via a Service (Windows Service, not Web Service)

Please help.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

käµfm³d 👽Commented:
Does the user with which you are executing the service have permissions to access the store?
djcheekyAuthor Commented:
I'm not sure. What I have been able to determine is:

For the website, the identity of the user using the code below is:

For the website: SERVER_NAME\ASPNET

The web application installs certificates into the CurrentUser store, which is why when I query that store using the Service, I get no certificates. Because the website used 'SERVER_NAME\ASPNET' as the CurrentUser and the Service used 'NT AUTHORITY\SYSTEM'

Is there not any way to perhaps create a totally new user on the Server and somehow force both the web application AND the service to use this account.

For example, create a user called CERTUSER and then always use SERVERNAME\CERTUSER somehow?

I'm a little confused when it comes to user permissions, I must admit!

djcheekyAuthor Commented:
I apologise - the website is actually using: NT AUTHORITY\NETWORK SERVICE

djcheekyAuthor Commented:
Ok, I have managed to come up with a solution based on Impersonating a User, as seen in this article:

So what I did was create a User on the application server (had to belong to admin group or else it wouldn't work) and then I imersonated that user when adding / accessing the certificate store. That way the CurrentUser store used was always that of the impersonated user.

Would there be any security implications going this route?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.