How to grant ASP.NET access to certificate private keys on Windows Vista

One of the more painful processes on Windows XP and Windows Server 2003 is granting read permission to the private keys of a certificate. It typically requires a few trips to your favorite search engine, msdn.microsoft.com and running winhttpcertcfg.exe.

In Windows Vista, the Certificate MMC snap-in has a new feature that enables you to directly manage the permissions of private keys associated with a given certificate.

Assuming you already have your certificate installed in the Local Machine store, fire up mmc.exe, add the Certificates snap-in to the console and choose Computer account on the Local computer. Expand Certificates | Personal | Certificates and locate the certificate to whom's private keys you'd like to grant read permissions. Right-click on the certificate, choose All Tasks | Manage Private Keys ... and you'll be starting at a standard Windows ACL editor. No muss. No fuss. Nice 'n clean the way it should have been from the beginning. If you're using a stock ASP.NET 2.0 configuration, you'll want to grant NETWORK SERVICE read rights. If you're running your application pool under another identity or performing impersonation, you'll need to adapt accordingly. In either case, this is far easier than the old hunt 'n peck method.

Technorati tags: vista, security, x509, ssl, encryption