无法从X509Store读取CurrentUser证书

Question

I'm developing ASP.NET 4.0 web application, and I want to read the current user certificates from X509Store. Reading the LocalMachine certificates works fine, but if I set the StoreLocation to CurrentUser, it gives me an empty collection.

The following code works fine :

X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); // StoreLocation.CurrentUser
store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);

I've checked my personal store (via certmgr.mmc) and I'm sure that I have the certificates.

What am I missing ? ( store.Certificates is empty )

Answer 1

It appears that you can not access the Personal Certificate Store via web application, no matter what application pool identity you're using.

It makes sense, a web application has no access to that location. :)

My solution :

I've developed an ActiveX control which I think its the only way to access the Store. (Also, a Java Applet offers the same functionality). I use the ActiveX control via JavaScript to access the Store, and send that information to the server.

Answer 2

If your worker process cannot access cert store, maybe it's just account setup problem. Try go ing to IIS Configuration, open ApplicationPools, right click on yours, select Advanced and try setting LoadUserProfile to TRUE. And restart the pool. It worker for me - no more exceptions when loading .PFX with private keys.

Answer 3

I had a similar problem. The solution was:

IIS admin->[your virtual dir]->Authentication->Anonymous Authentication (select then click "Edit...") and change it to use "Application pool identity".

Otherwise it may be running as the generic "IUSR"