Geeks With Blogs

News Awarded Microsoft MVP C#.NET - 2007, 2008 and 2009

I am born in Bangladesh and currently live in Melbourne, Australia. I am a Microsoft Certified Application Developer MCAD Chartered Member (C# .Net)and born in Bangladesh.
I am founder and Chief Executive Officer of
Simplexhub, a highly experienced software development company based in Melbourne Australia and Dhaka, Bangladesh. Co-founder and core developer of Pageflakes
Simplexhub, is on its mission to build a smart virtual community in Bangladesh and recently launched beta an ASP.NET MVC application written in C#.NET.

Some of My Articles
Flexible and Plugin based .Net Application..
Mass Emailing Functionality with C#, .NET 2.0, and Microsoft® SQL Server 2005 Service Broker'
Write your own Code Generator or Template Engine in .NET
Shahed Khan blog

Background and Problem

Recently, I developed a website which implements PKI infastructure. On Click of a Button I sign and encrypt a document and send to desired location. During the development I have put the signer certificate in my "Certificates-CurrentUser" store and worked good. But when I deployed the site in production I found that IIS cannot locate the certificate from "Certificates-CurrentUser" store.

Initially I wrote this code and which was the CULPRIT:

object locationCertificate = "SomeCertificate";

X509Store storeMy = new X509Store(StoreName.My, StoreLocation.CurrentUser);

storeMy.Open(OpenFlags.ReadOnly); X509Certificate2Collection certColl = storeMy.Certificates.Find(X509FindType.FindBySubjectName,locationCertificate, false);

This is obvious that the code above will not work as IIS runs the site using ASPNET User and the Certificates are being imported under my Administrators account. As a result in the production box the code blew up and cerColl returned null.


To resolve this, I have imported the certificate under "Certificates-LocalMachine" Store and rectified my earlier code as follows.

object locationCertificate = "SomeCertificate";

X509Store storeLocalMachine = new X509Store(StoreName.TrustedPeople, StoreLocation.LocalMachine);

X509Certificate2Collection certColl = storeLocalMachine.Certificates.Find(X509FindType.FindBySubjectName,locationCertificate, false);

This is not the end of the story, only changing the codes didn't help, I needed to grant read permission to the certificate to the ASPNET User. You can do this easily using the "X509Certificate Tool" which can be found in the following link.



When a site is deployed in IIS, ASPNET User will not be able to locate Certificates imported in the "CurrentUser" Store. Certificates need to be imported in the "LocalMachine" Store instead, and have to be given read access.

Hope this helps and Thank you for being with me so far.

Posted on Thursday, November 22, 2007 2:34 PM | Back to top

Comments on this post: X509Certificate cannot be located from CurrentUser Store in IIS

# re: X509Certificate cannot be located from CurrentUser Store in IIS
Requesting Gravatar...
for your advise I also know I have to give read permission to aASPNET account but I am not able to set permission pls provide step by step detail
thank again.
Left by Abhijit on Apr 26, 2008 3:36 PM

# re: X509Certificate cannot be located from CurrentUser Store in IIS
Requesting Gravatar...
The download location for the tool changed:
Left by Christian Geuer-Pollmann on Dec 17, 2008 1:50 AM

Your comment:
 (will show your gravatar)

Copyright © Shahed Khan | Powered by: