I am developing a WCF service, which uses SSL certificate for transport security.
I followed various tutorial and hints online to generate and import the certificate. The certificate is imported using the following command:
certmgr.exe -add -all -c <filename>.pfx -s -r localMachine my
My WCF service is running happily using the imported certificate under console mode. Problem starts when I switched my service to be hosted with a Windows Service, which is running as “NETWORK SERVICE”. The exception is complaining that the application has no access to the private key installed.
So I used FindPrivateKey.exe and found out that the private key is actually installed in the current user’s AppData folder:
C:\Users\<username>\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3289377140-263254259-3378496556-1105\d3a0de64e6f0513692d593a77a71d3ac_15824a33-515a-493c-a33f-38a7b852e11a
It would not work even if I grant “NETWORK SERVICE” user the access right to this file.
At the end I have to remove the certificate, and re-imported using MMC, which placed the private key to:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\c3ccd4300462fe2aa7cec7f747fbd075_15824a33-515a-493c-a33f-38a7b852e11a
So my question is, how can I get certmgr to place the private key in C:\ProgramData\ instead of current user’s AppData?
You should not try to work with certificates on file level. It is internal implementation that is not guarantied to be supported.
There is a MS tool that can help you:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa384088(v=vs.85).aspx
Command that you need to run:
Use this link to install the tool:
http://www.microsoft.com/en-us/download/details.aspx?id=19801