I have a self-hosted WCF service being tested now in QA using self-signed (makecert.exe) certificates for SSL. If the web service is started using admin rights and a .BAT file, the program has no trouble starting the SSL endpoint.
But if I start the web service as a normal windows service, running as "NT Authority\System", the program will frequently (but no always?!) fail to start, throwing an error that "may not have a private key that is capable of key exchange or the process may not have access rights for the private key"
This is the makecert command I used:
makecert -iv Cas_temp_Authority.pvk -n "CN=ServerName" ServerName.cer -sv
ServerName.pvk -ic ServerName.cer -sr localmachine -ss my -sky exchange -pe -eku
1.3.6.1.5.5.7.3.1
I used this netshell command to assign the certificate to the port
netsh http add sslcert ipport=0.0.0.0:8086 certhash=755f7fcf49ff3f06d9d7e551a10ef35776f2dc57
appid={42e1d4bf-7106-4666-90f7-4634456fb7f1} clientcertnegotiation=enable
I used this netshell command to set the port permissions:
netsh http add urlacl url=https://+:8086/ServiceName/MethodName/
user="NT Authority\System"
I know there is nothing wrong with the certificates or the programming code; if there was something wrong, the service would not start at all. The issue here is that it starts only as administrator using an .EXE and it will not start as a normal windows service.
I'd be grateful for any help.
