Grant access to certificate’s private key in IIS 7.5
After a bad week (where my work machine died), I’ve finished reinstalling everything. This time, I’ve went with Windows 7 and as a bonus, I’ve ended up with IIS 7.5. One of the things I needed to recover my working environment was to configure access to the certificates’ private keys (I have several WCF services which need certificates). In the old days, the solution was to use the httpcertcfg tool and use the command line.
With IIS 7.5 (also available for IIS running in Vista and Server 2008 with SP2), we’ve got a “new” security feature called application pool identities. According to the docs, application pool identities “allow you to run app pools under a unique account without having to create and manage domains or local accounts”. Until now, everything looks good and this is, indeed, an welcomed new feature. Now, my problem was granting access to the private keys of the certificate to that account. Initially, I’ve tried using my beloved winhttpcertcfg tool:
C:\Windows\system32>winhttpcertcfg -g -c LOCAL_MACHINE\My -s mycertificate -a "IIS APPPOOL\ASP.NET v4.0"
The result: “Error: no account information found.” Not good. I know that I could use the good old FindPrivateKey utility, but I’ve thought that there should be an easy way of doing these things. And yes, there is. I’ve tripped into an even easier way of granting permissions to a private key (interestingly, available since Windows Vista – note to self: start poking around everywhere when new versions of an OS is released!). Take a look at the following image:
Notice the Manage private keys entry? Yep, that’s just what the doctor ordered! Clicking over that option ends up showing the security dialog and now it’s only a question of adding the correct account (which, if you’re using the new application pool identity, is as easy as writing “IIS apppool\your pool name”). Cool, right?