无法创建SSL / TLS安全通道 - 作为exe工作但不在asp.net mvc中工作

Question

I have a problem with connectiong to an api over https. I wrote a little console application:

var handler = new WebRequestHandler();

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

store.Open(OpenFlags.ReadOnly);
foreach (X509Certificate2 mCert in store.Certificates)
{    
    // add my locale certificate
    if (mCert.FriendlyName == "some_identifier_name")
        handler.ClientCertificates.Add(mCert);
}

var httpClient = new HttpClient(handler);
var response= httpClient.GetAsync("https://url-to-my.com/api/something").Result;
var result = response.Content.ReadAsStringAsync().Result;
Console.WriteLine(result);        

This little script works fine, I get a statuscode 200 and also the json data from the api. As you can see I have a certificate installed on my local machine, which I add in the code.

I tried the same script on my webserver and everything works fine there too! But if I run the script in my mvc application I still get the message "The request was aborted: Could not create SSL/TLS secure channel".

Where is the difference with the same code if I run it as an exe or as a mvc website?

PS: This code is not the answer to my question, I already tried it:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

Answer 1

Solution: IIS > Applications Pools > Chose your Apppool > Advanced Settings > Identity > Change to LocalSystem

Seems like you have to give your application pool enough rights to read the certificate from your local machine.

Answer 2

After spending 2 to 3 days for above issue, found following solution and you don't want to change "Identity" to "LocalSystem" (In Apppool Advance setting),

1. run up mmc.exe and choose File->Add/Remove Snap-in, select certificates on the left-hand list and when it asks you, choose Computer Account and Local Computer. Click OK to exit the selection page.
2. Open up the Personal->Certificates folder under the snap-in you just enabled. It is possible, that the Certificates folder doesn't exist (if it is empty).
3. Right-click in the contents pane of Personal or Certificates and choose All Tasks->Import
4. Go through the wizard to import your certificate and select the option to "mark it exportable" which is usually needed for SSL usage (I think it includes the private key only when this is ticked).
5. With the certificate imported, select it, choose All Tasks->Manage Private Keys
6. You will get a familiar security dialog where you can add users who can access the private key. Add the account for the user that is running the application pool for your web site.
7. If you are using "App Pool Identity", then the users are found with IIS Apppool\\app.pool.name Note that if you are running some versions of Windows Server, you will need to change the "location" parameter to point to the local machine rather than the domain which is selected by default, otherwise the user won't be found.

Reference : http://lukieb.blogspot.com/2015/04/the-request-was-aborted-could-not.html