This blog post provides detailed instructions on how to import a digital certificate with private key from a .pfx file so that it can be used for creating digital signatures, or decrypting data. There are two major steps:
1) Import the PFX into the Local Machine Certificate store (interactively).
2) Modify the access permissions of the MachineKeys folder so that your IUSR account can have access.
First, you need to understand a key concept:
Private Keys live in a File-Based Protected Store,
Certificates live in a Registry-Based Certificate Store
When certificate w/ private keys are installed from a .pfx file, the certs are installed in a registry-based certificate store, but the private keys are installed in a "protected store". Each user account on a Windows system has it’s own certificate store (in the HKEY_CURRENT_USER branch). There is also a machine-wide certificate store in the HKEY_LOCAL_MACHINE registry branch. A cert can be installed to either one (or both). If the cert is installed interactively via the certmgr.msc certificate management console into the HKEY_CURRENT_USER, the ASP IUSR process won’t find it.
Likewise, each user account on a Windows system has it’s own "protected store". (For those interested in more information about protected stores, Google "DPAPI" and you’ll find lots of info…) There is also a machine-wide "protected store". If you import a .pfx interactively such that the private keys are saved to your interactive account’s "protected store", then they will not be accessible to ASP / ASP.NET, which is running in an IUSR account.
Importing a PFX into the Local Machine Certificate Store / Machine Keys
You’ll import the PFX by using the Certificate Management Console, but for the
Local Machine, not for your current logged-on user account. Follow these
instructions to start the MMC for the local machine cert store:
To manage certificates for a computer:
1. Log on to the system as an administrator.
2. Click Start, click Run, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in, and then click Add.
4. Under Snap-in, double-click Certificates, click Computer account, and then click Next.
5. Do one of the following:
6. To manage certificates for the local computer, click Local computer, and then click Finish.
7. To manage certificates for a remote computer, click Another computer and type
the name of the computer, or click Browse to select the computer name, and then click Finish.
8. Click Close. Certificates (Computer Name) appears on the list of selected snap-ins
for the new console.
9. If you have no more snap-ins to add to the console, click OK.
10. To save this console, on the File menu, click Save.
Begin the PFX Import:
1) Right-click on the Personal folder, located under "Certificates (Local Computer)", and select All Tasks –> Import.
2) Click Next, browse to your .pfx file and select it. Make sure the "Files of type" dropdown is set to "*.pfx; *.p12;" so you can see the .pfx files. Click Next.
Enter the password for your .pfx file. (I always mark the key as exportable.) Click Next. Use the "Personal" certificate store, which is the default and already selected.
Click Next. Click Finish. That’s it.
Modify the Access Permissions of the MachineKeys folder.
Note: This step may not be necessary for the SYSTEM or Windows Service account. Check to see if your program can access the certificate and private key first before proceeding with this step.
1) Open Windows Explorer and navigate to the directory
where the keys are located:
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
2) Make sure you’re not using the "Simple File Sharing" mode in Windows Explorer.
In the Windows Explorer Tools menu, select "Folder Options". Then select the "View" tab.
Scroll down and make sure the "Use simple file sharing" checkbox is unchecked.
4) Right-click on the MachineKeys folder.
Select "Properties", then select the "Security" tab. (Note: If you didn’t turn off simple file sharing, you wouldn’t see the "security" tab.)
5) You’re going to add your IUSR_**** account and give it full permission. Click the "Add.." button. Type your IUSR account name and click "Check Names". Then click "OK".
6) The IUSR account is now listed. Select it and then check the "Full Control" checkbox (causing all the other Allow checkboxes to be selected). Then click "Apply".
You’ve done it. Now you can use that cert w/ private key in ASP or ASP.NET. You can also use any other certs imported into the Local Machine/Personal certificate store.
