Service certificate: Keyset does not exist

When you try to use a service certificate in WCF namely message security, you might have an error :

Keyset does not exist

Or in a detailed manner the message could be:

It is likely that certificate ‘CN=xxx’ may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.

There might be a few causes behind this error, trying to solve certificate related problems always feels hard, like being stabbed in the dark, here I am going to show you a tool that I found is very useful to troubleshoot this kind of problems.

First the service certificate must be “You have a private key that corresponds to this certificate”.

Second, if you created a key for LocalMachine-Person store, then cause is likely the permission issue, so you need to grant the IIS account the access to the key, by doing this :

In MMC right click the certificate, and click “Manage private keys…”

Third, the most confused, it is this scenario that drove me to use the debug tool to find out what is going on underneath

I have a certificate created for CurrentUser-Person store, there is nothing to stop you to config your service to use a certificate from current user store, and of course this certificate has a private key, the thing is there is a convention for private keys to be stored, the keys created for LocalMachine are stored under

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

While the keys created for current user are stored like

C:\Users\theusername \AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21 or S-1-5-20

In the third scenario, even I granted the key permission to IIS account, it still can not find the key, it turns out that the private key was at

C:\Users\theuserWhoCreatedKey \AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21, while IIS was trying to look for the key at

C:\Users\DefaultAPPPool \AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-20.

Surprisingly the private key name is right I guess it is stored in the certificate, but the folder is worked out on fly depends on which account the service is using.

How do I know this?

The tool I mentioned told me all these, the tool is procmon.

Here is a screen shot about the second scenario – permission issue

AccessDenied

Here is a screen shot for the third scenario – personal keys can not be accessed by other users

DefaultAppPool

Summary:

Try to use FindPrivateKey to find where the private key is for a service certificate, if its private key is in   C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, then it should be able accessed by different users as long as the permissions are granted, but private key sits under a particular user’s data folder, there is no way for other users to find this private key.

Coming to tools that are helpful in this situation, procmon stands out.

Tags: , ,

This entry was posted on Thursday, April 10th, 2014 at 3:12 am and is filed under ASP.NET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

*