• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2100
  • Last Modified:

X509Certificate Store access issue


We created numerous X509Certificate2's on our application server using a an ASP.NET C# website. When calling any functionality via the website that uses these certificates, the process executes just fine - finding the appopriate certificates from the store.

BUT, when we run a Service that we created, that calls the same code that the website called, the process fails as it doesn't find any certificates in the Store.

When we add the certificates to the store via the website, we use the code:
X509Store storeCurrentUser = new X509Store(StoreName.My, StoreLocation.CurrentUser);

Now, after a bit of digging, it seems that in order for the Service to be able to access the certificates, they need to be obtained from the StoreLocation.LocalMachine store (I could be wrong here - so please correct me if I am)

Then, from what I understand, the website should search the StoreLocation.CurrentUser store for certificates, whereas the application Service should access the StoreLocation.LocalMachine store.    

The problem is, that via the website, I can only add certificates to the StoreLocation.CurrentUser store. If I try add to the StoreLocation.LocalMachine store, I get an "access denied" error.

What do I need to do to install certificates that will be accessible via a function called via the web application AND the same function called via a Service (Windows Service, not Web Service)

Please help.

  • 3
1 Solution
käµfm³d 👽Commented:
Does the user with which you are executing the service have permissions to access the store?
djcheekyAuthor Commented:
I'm not sure. What I have been able to determine is:

For the website, the identity of the user using the code below is:

For the website: SERVER_NAME\ASPNET

The web application installs certificates into the CurrentUser store, which is why when I query that store using the Service, I get no certificates. Because the website used 'SERVER_NAME\ASPNET' as the CurrentUser and the Service used 'NT AUTHORITY\SYSTEM'

Is there not any way to perhaps create a totally new user on the Server and somehow force both the web application AND the service to use this account.

For example, create a user called CERTUSER and then always use SERVERNAME\CERTUSER somehow?

I'm a little confused when it comes to user permissions, I must admit!

djcheekyAuthor Commented:
I apologise - the website is actually using: NT AUTHORITY\NETWORK SERVICE

djcheekyAuthor Commented:
Ok, I have managed to come up with a solution based on Impersonating a User, as seen in this article:

So what I did was create a User on the application server (had to belong to admin group or else it wouldn't work) and then I imersonated that user when adding / accessing the certificate store. That way the CurrentUser store used was always that of the impersonated user.

Would there be any security implications going this route?

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now