9

I'm developing ASP.NET 4.0 web application, and I want to read the current user certificates from X509Store. Reading the LocalMachine certificates works fine, but if I set the StoreLocation to CurrentUser, it gives me an empty collection.

The following code works fine :

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); // StoreLocation.CurrentUser
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

I've checked my personal store (via certmgr.mmc) and I'm sure that I have the certificates.

What am I missing ? ( store.Certificates is empty )

Ashkan S
  • 10,464
  • 6
  • 51
  • 80
Masinov
  • 233
  • 4
  • 11
  • Is the application running as you? – Roger Lipscombe Mar 21 '12 at 16:23
  • The application is hosted on my local IIS (7.5). The application pool is set to ApplicationPoolIdentity. – Masinov Mar 21 '12 at 18:10
  • 1
    ...then CurrentUser will be the application pool, not you. – Roger Lipscombe Mar 21 '12 at 19:57
  • Hmm... I'll try it tommorow and see what happens :) – Masinov Mar 21 '12 at 22:12
  • I've set the application pool identity to : LocalSystem, Network Service and Application Pool Identity and I get the same results, the list is empty. – Masinov Mar 22 '12 at 08:33
  • Yeah. Because 'CurrentUser' refers to the current user. If you look in there while logged in as you, then you'll see *your* certificates. Your ASP.NET application isn't running as you, so it'll see *its* certificates, not yours. – Roger Lipscombe Mar 22 '12 at 11:46
  • Oh... I see. Is there any way that I can get the certificates installed on the client's machine? I need this because I'm trying to implement a way for the user to change the current certifigate (before it expires) which is requested at login. Thanks for your help @RogerLipscombe :) – Masinov Mar 22 '12 at 14:05

3 Answers3

2

It appears that you can not access the Personal Certificate Store via web application, no matter what application pool identity you're using.

It makes sense, a web application has no access to that location. :)

My solution :

I've developed an ActiveX control which I think its the only way to access the Store. (Also, a Java Applet offers the same functionality). I use the ActiveX control via JavaScript to access the Store, and send that information to the server.

Masinov
  • 233
  • 4
  • 11
0

If your worker process cannot access cert store, maybe it's just account setup problem. Try go ing to IIS Configuration, open ApplicationPools, right click on yours, select Advanced and try setting LoadUserProfile to TRUE. And restart the pool. It worker for me - no more exceptions when loading .PFX with private keys.

quetzalcoatl
  • 32,194
  • 8
  • 68
  • 107
0

I had a similar problem. The solution was:

IIS admin->[your virtual dir]->Authentication->Anonymous Authentication (select then click "Edit...") and change it to use "Application pool identity".

Otherwise it may be running as the generic "IUSR"

Tom Mulgrew
  • 131
  • 1
  • 7