Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Jan 24, 2011

How to give IIS access to private keys

If one of your ASP.NET applications need to access to a certificate from the certificate store along with its private key, you'll probably run into trouble. The private key is saved in a special file with an unguessable name. It's not readable for everyone (for obvious reasons). The lack of file access is not very intuitive, as you can see the certificate in the Certificate MMC snap-in, and it will claim that "this certificate has a corresponding private key". You'll still have to give the application pool's user read access to the key.

There are some differences in how to do this for the 2008 R2 and the 2003 server, here's a short explanation and some useful resources for both versions.

Windows 2008 R2 server
On the 2008 R2 server, the lack of read access to the private key will manifest itself as this exception:
Exception Details: System.Security.Cryptography.CryptographicException: Keyset does not exist
A notable new feature in the 2008 R2 server (with IIS 7.5) is that applications pools run under their own user. You need to figure out which identity the application pool is running as, e.g.: IIS AppPool\DefaultAppPool. Here's a great writeup on how this works: Application pool identities.

The security properties of the private key file can be set through the certificate MMC snap-in. (Start -> run -> "mmc" -> Add snap-in -> Certificates -> Local Machine/Personal cert store). You need to give the application pool user read access to the private key file.

Note: the 2008 server (not R2) uses the same user execution model as the 2003 server, keep reading if you have one of those.

Windows 2003 server
On the 2003 server, the exception is even less informative than on the 2008 R2.
Exception Details: System.Security.Cryptography.CryptographicException: The handle is invalid.
The challenge is still the lack of read access to the private key. Here's an explanation on how to use the WSE tool to adjust the private key's security settings. You can also check out Microsoft's findprivatekey.exe tool.

You'll probably need to give the user NETWORKSERVICE read access to the private key file, unless you've changed the application pool user defaults.


  1. Free educational software is everywhere - you just have to look harder to find those that are good quality.http://www.how-todo.xyz/

  2. The finger print based access control software in India is made for all kinds of organizations as this tamper proof fingerprint door lock device reduces the managerial cost involved with the usual ID card or swipe cards. access control system installation

  3. Thanks, decent post. I would also like to share this page on whatsapp spy apps.

  4. The varying size pins line up with the cuts on a key to allow the plug to turn and activate the lock. So, if a lock has pins numbered 3-5-4-2-1 then the cuts on the key must be 3-5-4-2-1.автоключар

  5. In the case of an emergency then (or if you've just given up with the fiddly lock picking), you may want to break the door down.duplicate key maker

  6. You did really good work. I really appreciate your new and different post. Please guys keep it up and share with us some unique post in the futureMenmyshopCar StereoDouble Din Android PlayerHyepersonic Double Din PlayerHyundai Creta Double Din Player
    CBSE open schoolcbse privatebanzaraonjourneyAdj online

  7. You did really good work. I really appreciate your new and different post. Please guys keep it up and share with us some unique post in the futureMenmyshopCar StereoDouble Din Android PlayerHyepersonic Double Din PlayerHyundai Creta Double Din Player
    CBSE open schoolcbse privatebanzaraAdj online

  8. I enjoyed over read your blog post. This was actually what i was looking for and i am glad to came here!
    subway surfers

  9. You actually make it look so easy with your performance but I find this matter to be actually something which I think I would never comprehend. It seems too complicated and extremely broad for me. I'm looking forward for your next post, I’ll try to get the hang of it! cloud torrent clients

  10. Thanks for all the tips mentioned in this article! it’s always good to read things you have heard before and are implementing, but from a different perspective, always pick up some extra bits of information. Visit@

  11. Buy Custom Cheap Research Paper Writing Service and experience our unique Pre Written Essays with the instructions you give to our writers.

  12. Some apart from the catastrophic effects that discovery may cause, some jurisdictions have outlawed the use of such apps, and one may be subject to prosecution if there is sufficient evidence to prove that they are responsible for spying activities on other people. WhatsApp Sniffer Contrary to popular belief, it's quite easy to spy on your employees and make sure they're getting the job done.

  13. I think that thanks for the valuabe information and insights you have so provided here. Melbourne Access Control Systems

  14. We offer the homework doer free service & assignment help in US. We work round the clock, have the lowest prices, and love helping students!
    i need help with my homework for free

  15. At singaporetranslators.com,our high experienced professional team ready 24*7 to deliver you an effective,plagiarism free translation in numerous pairs of languages at very reasonable prices. Translation Services Singapore


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts