If you are ever in need of pulling and using X509Certificates from your machine’s Certificate Store in your applications there are a few things you will need to watch out for. For this post I will be assuming you are programing a web application and are using ASP.net hosted in IIS.
- Make sure you generate the Certificate correctly and get it in the right place in our machine’s Certificate Store.
- Make sure the processes you are using have the proper rights to access the Certificate. (on your machine, ASP.net, Network Service,…)
- Make sure you are pulling the certificate correctly.
1. Generating your Certificate
The following command can be executed from within the Visual Studio 2008 Command Prompt (located in your start menu All Programs\Microsoft Visual Studio 2008\Visual Studio Tools).
makecert -r -pe -n “O=MyCompany,OU=MyCompany,CN=MyCertificate” -b 10/12/2009 -e 12/31/2039 -ss My -sr LocalMachine -sky exchange
I will go over some of the flags used in this command but the rest of them you can look up in the MSDN documentation for the MakeCert utility. The big ones to remember are:
- -n which specifies the details about the key’s subject name and issuer.
- -ss which specifies the key store where the key should be kept (My is the Personal section)
- -sr this specifies the location of the key store that will be used to store the certificate (LocalMachine is the local key store for the machine you are on)
- -sky this specifies the key type. exchange allows you to sign and encrypt items with the certificate whereas signature only allows you to sign.
2. Make Sure Necessary Processes can Access the Certificate
In order for your website code to access a certificate it has to be accessible to your ASP.net application. To grant access to your newly created certificate you need to use a utility designed to manage access to your computer’s certificates. The utility is titled winhttpcertcfg and can be downloaded from Microsoft.
Once you have the utility installed run the following scripts in your command prompt (cmd.exe) to grant both ASP.net and the Network Service access to the certificate. You of course will need to make sure that the new utility is either in the direct path of the command prompt by switching to the install folder of the utility or by adding the utility to the Path environment variable of your computer.
winhttpcertcfg -g -a “%computername%\NT AUTHORITY\NETWORK SERVICE” -c LOCAL_MACHINE\My -s “MyCertificate”
winhttpcertcfg -g -a %computername%\ASPNET -c LOCAL_MACHINE\My -s “MyCertificate”
if you want to verify that the correct permissions have been granted you can run this next script which will tell you all processes which have access to the certificate.
winhttpcertcfg -l -c LOCAL_MACHINE\My -s “MyCertificate”
3. Pulling the Certificate Correctly
The following is a code snippet in C# detailing how to pull the certificate from the key store.
private X509Certificate2 GetX509Certificate()
X509Store keyStore = new X509Store(StoreName.My, StoreLocation.LocalMachine);
X509Certificate2Collection x509Certificates = keyStore.Certificates.Find(
if(x509Certificates.Count > 0)
x509Certificate = x509Certificates;
throw new Exception(
"x509 Certificate does not exist. Name: MyCertificate ";