Im calling an external web service via wse 3.0. I need to use an X509 cert. I have installed the cert under a user account. My application needs to be accessed anonymously, so Im using impersonation to load the cert from the impersonated users' store.
Problem is that now sometimes the users store is not loading. I need to be able to associate the cert with ASPNET, NETWORK SERVICE account.
Can anyone show me an example? I tried a few examples off MSDN but they would not work for me.
If you open the certificate (double click it in the store) and view the details, you should be able to see who the certificate is issued to. Usually it's a domain or email address.
In our implementation, we exported a base-64 encoded version of the public key to include in our project. When you load this file version of the certificate, it automatically gets the private key from the certificate store (if it's there and if you've granted
permissions to ASP.NET, IWAM, IUSR and NetworkService for Win 2003)
kali.mist
Member
124 Points
69 Posts
How do I associate a X509 certificate with the Network Service account
Feb 18, 2007 07:09 PM|LINK
Folks,
Im calling an external web service via wse 3.0. I need to use an X509 cert. I have installed the cert under a user account. My application needs to be accessed anonymously, so Im using impersonation to load the cert from the impersonated users' store.
Problem is that now sometimes the users store is not loading. I need to be able to associate the cert with ASPNET, NETWORK SERVICE account.
Can anyone show me an example? I tried a few examples off MSDN but they would not work for me.
Thanks
Mick
Sohnee
Contributor
2560 Points
492 Posts
Re: How do I associate a X509 certificate with the Network Service account
Feb 19, 2007 07:46 AM|LINK
Step 1 - if you don't already have it installed - get WinHttpCertCfg
http://www.microsoft.com/downloads/details.aspx?familyid=C42E27AC-3409-40E9-8667-C748E422833F&displaylang=en
Step 2 - if you already have the certificate installed on the maching and you just need to grant access to Network Services:
WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "IssuedToName" -a "NetworkService"
If you're using Windows 2000 you don't need to grant access to Network Service but from Windows 2003 you do.
The full rundown on this tool can be found here:
http://support.microsoft.com/kb/901183
WinHttpCertCfg
kali.mist
Member
124 Points
69 Posts
Re: How do I associate a X509 certificate with the Network Service account
Feb 19, 2007 09:19 AM|LINK
Thanks Sohnee.
When I'm installing the cert, should store should I use so that NetworkService can access it?
Also what should I use for "IssuedToName"? Is the it just the name of the cert?
ThanksMick
Sohnee
Contributor
2560 Points
492 Posts
Re: How do I associate a X509 certificate with the Network Service account
Feb 23, 2007 02:35 PM|LINK
I use the local machine store.
If you open the certificate (double click it in the store) and view the details, you should be able to see who the certificate is issued to. Usually it's a domain or email address.
kali.mist
Member
124 Points
69 Posts
Re: How do I associate a X509 certificate with the Network Service account
Apr 18, 2007 01:12 PM|LINK
Sohnee,
can you show me a piece of code where you get look in the local machine store for the certificate?
Here is my existing code. Im having to use a specified account and impersonation. Its not good.
Dim store As X509Store
Dim certs As X509CertificateCollection
Dim cert As System.Security.Cryptography.X509Certificates.X509Certificate2
store = New X509Store(StoreName.My, _
StoreLocation.CurrentUser)
store.Open(OpenFlags.ReadOnly)
For Each cert In store.Certificates
certlist += cert.SubjectName.ToString
Next
certs = _
store.Certificates.Find(X509FindType.FindByIssuerName, "rogerlodger", True)
Thanks
Mick
kali.mist
Member
124 Points
69 Posts
Re: How do I associate a X509 certificate with the Network Service account
Apr 18, 2007 01:19 PM|LINK
Sohnee,
can you show me a piece of code where you get look in the local machine store for the certificate?
Here is my existing code. Im having to use a specified account and impersonation. Its not good.
Dim store As X509Store
Dim certs As X509CertificateCollection
Dim cert As System.Security.Cryptography.X509Certificates.X509Certificate2
store = New X509Store(StoreName.My, _
StoreLocation.CurrentUser)
store.Open(OpenFlags.ReadOnly)
For Each cert In store.Certificates
certlist += cert.SubjectName.ToString
Next
certs = _
store.Certificates.Find(X509FindType.FindByIssuerName, "rogerlodger", True)
Thanks
Mick
Sohnee
Contributor
2560 Points
492 Posts
Re: How do I associate a X509 certificate with the Network Service account
Apr 18, 2007 03:20 PM|LINK
kali.mist
Member
124 Points
69 Posts
Re: How do I associate a X509 certificate with the Network Service account
Apr 19, 2007 12:45 AM|LINK
Great!!!
Any chance you show me some code please? Im not at the exporting a base-64 encoded version of the public key level :)
Cheers
Sohnee
Contributor
2560 Points
492 Posts
Re: How do I associate a X509 certificate with the Network Service account
Apr 19, 2007 02:38 PM|LINK
If you right-click on the certificate in the certificate store, you can choose "export", which presents a small number of options (save it as a .cer)
Then you can access the certificate like this:
X509Certificate2 cert1 = new X509Certificate2("cert.cer");