3
votes

I am getting the error "The certificate 'CN=tempcert' must have a private key that is capable of key exchange. The process must have access rights for the private key" when I run a WCF service on Win7 using HTTP. I change the Application Pool to use "NetworkService". I installed the server certificate using the Local Machine. The cert is shown in the Certificate MMC under the Local Computer / Personal / Certificates. I double click on the certificate and it states that it has a private key. I then run the FindPrivateKey utility and it states that it finds the private key in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder. I went into the Certificates Addin in MMC and granted full rights to the NETWORK SERVICE account. Then I went to the folder in Windows Explorer and confirmed that NETWORK SERVICE has full rights to the folder and the specific key file. However, everytime I run the WCF service it errors out that it can't find the private key. I have no idea what else I can do.

4

4 Answers

4
votes

You need to specify -sky exchange when you create the certificate.

makecert -sk SignedByCA -iv TempCA.pvk -n "CN=localhost" -ic 
    TempCA.cer SignedByCA.cer -sr LocalMachine -ss My -sky exchange -pe
4
votes

I've struggled with this too. There's no quick fix. The "-sky exchange" can be the cause of this error, but I had "-sky exchange" set when building self-signed certs and still received this error. There are other issues that can cause this problem, including private key access rights and the certificate location.

This can apply if/when you're running your WCF host as a Windows service:

Access rights to the private key In my case, if I started the WCF service manually, it inherited the rights of my (admin group) user account adn the WCF service had no problem finding the certs. But when I used a Windows Service to start the WCF host, it inherited the rights of the service, and I received this same error.

In the Service Manager window, in my case, the account running my service shows up as "Local System", which really means "NT AUthority/System". So I needed to give that account access rights to the private key container to that account. "Everyone" wasn't good enough, amazingly. You can assign rights to the key containter using the MMC or usign FindPrivatekey.exe and manually using the file explorer to set the rights, much like you'd set access rights to a file folder.

Store Location -another factor Also, in my case, the account I was running under didn't have access to the "LocalMachine" or "CurrentUser" stores, so locating my certs there was of no use. The service only started working when I imported (or copied) the certificates to "Service (Service Name)" using the MMC.

You can do it this way: open up the MMC, then select "Certificates" from the list. You'll see three options: My User Account (CurrentUser), Service Account (You select which service) and Computer Account (LocalMachine). Just select Service Account and pick the service under which your WCF host runs.

My answer here was not meant to be a complete "how to", just helpful hints to those struggling with this issue. The "how to" I wrote for my documentation was 10-pages long.

3
votes

mmc > File > Add/Remove Snap-in > Certificate > Add > Computer Account > Next > Finish > OK

Then, find the certificate > Right Click > All Tasks > Manage Private Keys

Add the user or service which is using the cert and grant full control to it.

You are all set :) Restart the service and it should work

0
votes

I was getting this exception too. Inspecting the inner exception showed : System.Security.Cryptography.CryptographicException: Invalid provider type specified. It turns out I was using a CNG certificate in .NET 3.5 on a windows server 2008, which this article (https://msdn.microsoft.com/en-us/library/aa738624(v=vs.100).aspx) highlights as unsupported.

To see what certificate type you are using, you can run the command Certutil -store my and look for the Provider field.

  • If it says Microsoft Enhanced Cryptographic Provider v1.0 - then it's a CSP certificate.
  • It it says Microsoft Software Key Storage Provider - then it's a CNG (KSP) certificate.

Anyway, I hope this information is useful for someone with the same problems.