I have come across this excellent blog explaining how to provide access to private keys and why its needed:
On http://www.microsoft.com we have a number of applications that use certs
to access other web services, the way we do is by installing the
certificate with the private key into the local machine store and
provide access to the application pool identity to the private key and
use the serial number or the thumbprint of the certificate in the
web.config of the application. One of the key challenge was to script
out the private key access to the application pool identity across the
server farm. (source: http://tinyurl.com/cbsmpqk)
At the time being my silverlight application can’t access the database as it seems that it has no access to the installed certification (on Azure Cloud), as this is required to read the encrypted DB connectionString.
It says Failed to decrypt using provider ‘CustomProvider’ -> Keyset does not exist.
Following the blog above I was able to solve it by changing permissions for the installed certificate to additional read access for ‘Authenticated Users’ or even to ‘Users’.
In both cases it works fine, but I don’t understand the security implications. Does it mean now that anybody from Internet is able to read my certificate’s thumbprint? Have I mistakenly opened a security hole?
Which username/Role should I rather have given the read access to the private keys of the certificate?
Many Thanks
I don’t think it means anyone can access your private key. If you set the ‘authenticated user’ or ‘users’ that means only the users in these groups would have the access permission. But if you set ‘everyone’ that means, everyone.