CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 2 of 2
  1. #1
    Join Date
    Jun 2008

    Cannot retrieve private key of an X509 certificate from web service

    I'm a having trouble retrieving a private key of an X509 certificate that is located in
    in my Local Computer (Personal) store. The methods that I'm calling to retrieve the private key are in a dll. If I call the methods from a Windows Console app the works perfectly, but if I call them from a web service I get the following exception: System.Security.Cryptography.CryptographicException: Keyset does not exist

    static DSACryptoServiceProvider GetDSA()
    X509Certificate2 cert = GetCertificate(CERT_SERIAL_NUMBER);
    DSACryptoServiceProvider provider = cert.PrivateKey as DSACryptoServiceProvider;
    if (provider == null)
    throw new ApplicationException("No suitable certificate found");
    return provider;

    static X509Certificate2 GetCertificate(string serialNumber)
    X509Store store = new X509Store(StoreLocation.LocalMachine);
    X509Certificate2Collection matchingCerts = store.Certificates.Find(

    if (matchingCerts.Count == 0)
    throw new ArgumentException(
    "No certificate with provided serial number found");

    return matchingCerts[0];

    After googling around I decided that it's probably a permissions issue and therefore I tried to assign the NETWORK SERVICE user, which my App Pool is running under, full control permissions. I tried the following: since I'm running Vista, I supposedly can assign the permissions to the private key by opening MMC and adding a snap-in to the Local Computer certificates and right-clicking on the certificate -> All tasks -> Manage Private Keys… -> Adding NETWORK SERVICE full control etc. I also tried the same with the user SYSTEM and modifying the App Pool under which my web-service is running on to run as SYSTEM. The also tried the same thing with a specific user account i.e. my user account. None of these attempts worked. I tried assigning permissions to the actual private key file by running the following command:

    cacls “{output from above}” /E /P NETWORKSERVICE:R Example: cacls “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9e7f481ca4127144bc75102dabb32ad0_c18e0de9-0e80-4436-920c-4ab1cae7939a” /E /P NETWORKSERVICE:R

    I determined what the private key file was by checking the date created of the file. I could not find the file by using:

    findprivatekey.exe My LocalMachine -n “CN=SomeName” –a

    It simply told me that no certificates with that key existed.

    I have really run out of ideas now and I would really appreciate it if anyone could point me in the right direction or simply give me some new ideas (however crazy) 

  2. #2
    Join Date
    Apr 2002

    Re: Cannot retrieve private key of an X509 certificate from web service

    I did not face this problem before, but I think you should try to impersonate using your user name and password before performing this operation.
    Or just try to make the application pool run with your user.
    Hesham A. Amin
    My blog , Articles

    <a rel=https://twitter.com/HeshamAmin" border="0" /> @HeshamAmin

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Windows Mobile Development Center

Click Here to Expand Forum to Full Width

On-Demand Webinars (sponsored)

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.