Hi,

I am working with Visual Studio 2005 in C#.

Using makecert I create a self-signed certificate A with a private key then a certificate B based on A. The first is installed in the 'Certificate Authorities .. ' store, the second in the 'Personal' one.

My application need to use the certificate B to sign binary data. In debug mode, my application runs perfectly but after deployment there is no way to access the private key : I catch the following message : 'Keyset doesn't exist'

- As I work on a test environment, I set 'Read' and 'Write' rights on the web application directory to 'Everyone'
- I used the WSE utility for managing certificate and set 'Read' and 'Write' rights on the '../Documents and Settings/MyAccount/Application Data/Microsoft/Crypto/RSA/S-x-x-xx-...' to 'Everyone'
- on the IIS server, in the Security panel, I use Windows integrated authentification
- Using winhttpcertcfg I granted 'Eveyone' to use the certificate
- In the mmc console, when I open the certificate, I see it is valid and it has a private key but in tasks > renew the certificate or ask a new certificate with the same key I get some error message like 'Not enough data' or 'No CA available'

Here is the makecert commands I used :
- first, the self-signed (installed in Local Machine\Trusted Root) :

makecert r sr LocalMachine a sha1 n "CN=initRecetteUCB" sv UCB-recette.pvk initRecetteUCB.cer
- then the certificate I use to sign binary data (Local Machine\Personal) :

makecert sr LocalMachine a sha1 iv UCB-recette.pvk n "CN=UCB-recette" ic initRecetteUCB.cer UCB-recette.cer ss My
The WinHttpCertCfg command :

WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "UCB-recette" -a "NT AUTHORITY\Network Security"

My ASP.Net code :

byte[] signature;
string pk = "";
X509Store store = new X509Store("MY", StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

X509Certificate2Collection collection = (X509Certificate2Collection)store.Certificates;
X509Certificate2Collection fcollection = (X509Certificate2Collection)collection.Find(X509FindType.FindByTimeValid, DateTime.Now, false);
X509Certificate2 certificateUCB = new X509Certificate2();

foreach (X509Certificate2 x509 in fcollection)
{
if (x509.SubjectName.Name == containerName)
{
certificateUCB = x509;
break;
}
}
store.Close();

using (RSACryptoServiceProvider privateKey = (RSACryptoServiceProvider)certificateUCB.PrivateKey)
{
signature = privateKey.SignData(hashedData, new SHA1Managed());
}
Is there something missing in this approach ?

Best regards,
Alexis Ancelle - Sqli France