Last post Mar 02, 2018 03:36 PM by PatriceSc
Mar 02, 2018 01:39 PM|Looooooka|LINK
I'm trying to load the private key from a certificate stored in the userstore.
The user under which the Application Pool is running is not an administrator.
It seems the user's profile is not loaded(even though that option is set in the pool) so I get this error:
Application startup exception: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Key not valid for use in specified state
at Internal.NativeCrypto.CapiHelper.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 keySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
at Internal.Cryptography.Pal.CertificatePal.<>c.<GetRSAPrivateKey>b__61_0(CspParameters csp)
at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
When running as an administrator this problem doesn't exist and from all that I've managed to get online is:
-when cert is in the user store, you need the profile loaded
-when cert is in the machine store you need to be running as an admin or have access to the store.
Which didn't help at all because when running as administrator that certificate is also stored in the user store and it works just fine.
Does anyone have a solution for this?
Somehow loading the user profile or at least a different way to get the private key under a non administrator account?
Perhaps there are more permissions that need to be set to get the private key...but as far as i remember you get a completely different exception when it's a permission issue.
Any help would be most appreciated.
Mar 02, 2018 02:46 PM|Looooooka|LINK
I thought this would fix the issue:
winhttpcertcfg.exe -g -c Current_User\Personal -s CertSubjectName-a "TheUserInQuestion"
Appears It didn't. I was still accidentally running as the Administrator and thought this fixed the problem :)
Mar 02, 2018 03:14 PM|Looooooka|LINK
Gave up and installed the certificate in the localmachine key store so I could use the set private key permissions and grant that AppPool user reading rights.
If anyone knows how to make this work for a regular user using the currentuser certificate store...that would be great. I hate having certs in the local machine store.
Mar 02, 2018 03:36 PM|PatriceSc|LINK
Never tried. If the issue is loading the user profile you have this option in the application pool configuration:
Opps: missed you tried already. The error message is a bit weird though. Could it be because of the "exportable" option as shown here :