Archive for December 2007
Yet another really weird issue with certificate deployment came yesterday.
Symptoms: A windows service cannot access the private key of a certificate from the "LOCAL_MACHINE\MY" store, although the ACL for the private key is configured for the service’s account (Network Service and even Local System). When starting the same service with a user’s account, it can access the private key.
Solution: ACLs alone are not enough, make sure the certificate’s private key file’s location itself is accessible. Check the location of the private key file with some tool (the WseCertificate3.exe tool from the WSE 3.0 toolkit is very good for it).
Description: In my case the certificate was installed first into the "CURRENT_USER\MY" store and then copied to the "LOCAL_MACHINE\MY" store. Because of that, both copies of the imported certificate shared the same private key file located in the user profile:
C:\Documents and Settings\UserA\Application Data\Microsoft\Crypto\RSA\[UserA's SID]\
Not surprising now that the service account could not access the private key despite of the ACL. Moreover, moving the certificate instead of copying it in the Certificates Microsoft Management Console Snap-in has the same result — the private key file gets stuck in the user’s profile. After deleting the certificate and importing it in the right store the service works fine and the certificate’s private key file is located in:
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\