Keyset does not exist - permissions should be OK

1
votes

I'm having an issue deploying a WCF service to IIS on Windows Server 2016. The service needs a private key, which location is configured as follows:

<serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="..." />

I'm getting the famous error "Keyset does not exist", so I googled and doubled checked permissions etc. The certificate is correctly placed in LocalMachine/Personal/Certificates. Primary Key export is allowed.

I granted primary key permissions to the APPPOOL identity and IIS_IUSRS. I evenn tried granting full access to "Everyone". I also tried running the application pool under my administrator account.

No luck.

I tried creating a small C# console application that reads the certificate, the primary key, and exports the primary key. That works.

So I'm out of options now. Any suggestions that might solve this?

1
wcfiispermissionscertificate
If you run certutil -store my what do you see? If the certificate has private key associated there will be something like Encryption test passed or Signature test passed.pepo
The certificate is there and it shows the message "Encryption test passed".Tommy Jakobsen
OK, then when you look at your IIS application pool. What identity does it run under (pool->advanced settings>identity)? It should be ApplicationPoolIdentity.pepo
That's the identity, yes.Tommy Jakobsen
Then the user that needs permissions should be IIS APPPOOl\XYZ where XYZ is the name of your pool. I set the permissions using certlm.msc with right click on certificate then All tasks->Manage private keys.pepo

1 Answers

0
votes

The application is running as a application of a parent site, but with it's own dedicated app pool. Granting private key permissions to the parent site's app pool, fixes the issue. It doesn't make any sense to me, but at least it works now...