Running a HealthVault Application in IIS without installing a certificate in the certificate store

Starting with the HealthVault 0908 SDK release, HealthVault applications can run with an application’s certificate stored in a file store instead of in a certificate store by setting the ApplicationCertificateFileName key and its value in the web.config file. We often noticed that the developers facing issues in Windows Server 2008 R2 and Windows 7 machines while hosting HealthVault applications in IIS 7.5 and getting errors like ‘Error loading certificate. Is password specified using ApplicationCertificatePassword?’

 

This issue is caused by the IIS Worker Process which runs under a Windows Identity account that doesn’t have enough Code Access Security to call the security APIs. This is due to the DefaultAppPool setting that is used in IIS 7.5, which is the default, running under the ‘ApplicationPoolIdentity’ account. Switching this account to the 'NetworkService' account allows you to run the HealthVault application in IIS without installing the certificate in certificate store. You can find detailed steps on how to switch a Windows Identity account here, https://learn.iis.net/page.aspx/624/application-pool-identities/.

 

We highly recommend using the certificate store because keeping the private key of an application intact and private is very important due to security reasons. If your configuration doesn't allow using a certificate store and you must use the file based certificate store then please ensure that a password is set for the certificate and keep it in a non-web accessible directory.