Here’s a recipe on how to install a digital certificate w/ private key so that the private key is accessible and useable from a Windows Service or ASP.NET:
- Requested new X509 certificate from Thawte, security level = Medium.
- Imported from IE7 directly from Thawte using default options.
- Verify that the newly imported certificate is NOT found by my Windows Service program (or ASP.NET). To do this, I try to create a digital signature from my service program. It cannot even find the certificate.
- Run certmgr.msc and export cert to a .pfx, include private keys.
- Double-click on .pfx. Import without strong private key protection,
mark key as exportable. Export with "test" as the password.
- My service is on Windows XP and runs under the "SYSTEM" account. (Make sure to use the appropriate account name for ASP.NET or whatever login account is used by your Service.)
I ran winhttpcertcfg to import:
winhttpcertcfg -i something.pfx -c LOCAL_MACHINE\My -p test -a SYSTEM
The argument to the -a option should be the account name.
The certificate with private key is now accessible and useable by the Windows Service.
