X509Certificate - Keyset does not exist

Question

I have a WinForms application that consumes a WCF, and pass as a parameter to a function a certificate:

mySvcClient.SendDocument(cert.Export         


        

Answer 1

I think the problem is that you need to add the key to the machine's certificate store.

Answer 2

If you are using windows server 2008 or windows 7, then you need the permission to read private key.

1. use FindPrivateKey tool to find path. For example:

FindPrivateKey My LocalMachine -n "CN=MyCert" –a

it returns the path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys[File Name]

2. Go to that path and open file properties

3. Go to security tab

4. Click on "Edit" then "Add"

5. In opened dialog write: IIS AppPool\[your application pool name] and click OK

Now your application pool has permission to read this private key.

Answer 3

Vano Maisuradze answer works. If you are looking for the FindPrivateKey tool it is included in Windows Communication Foundation (WCF) and Windows Workflow Foundation (WF) Samples for .NET Framework 4, which can be found here: http://www.microsoft.com/en-us/download/confirmation.aspx?id=21459

Once downloaded and extracted, open the project: WF_WCF_Samples\WCF\Setup\FindPrivateKey\CS in Visual Studio and compile it. Then open command prompt and navigate to: WF_WCF_Samples\WCF\Setup\FindPrivateKey\CS\bin

Then continue with Vano Maisuradze answer

Answer 4

Application Pool Identity accounts don't have access to the certificate store by default.

Either you change to Network Services account as pointed by Vaibhav.Inspired or you give access to the certificate.

To allow access do the following command:

WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "IssuedToName" -a "AccountName"

Notes:

- The tool may need to be installed first. The setup will place the tool at `C:\Program Files (x86)\Windows Resource Kits\Tools\WinHttpCertCfg.exe`.
- `IssuedName` is the issuer property of the certificate that the application will attempt to access
- The command must be run from command prompt with elevated privileges

Reference :https://support.microsoft.com/en-us/help/901183/how-to-call-a-web-service-by-using-a-client-certificate-for-authentica Step 2

Also you need to enable the Mark this key as exportable option when installing the certificate.

Answer 5

I was facing the same issue, and I don't know how(shame on me), but it worked:

var certificate = new X509Certificate2(filePath, password,
    X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);

certificate.PrivateKey; // before: error "KeySet does not exist"!

using (certificate.GetRSAPrivateKey()) { } // pure black magic

certificate.PrivateKey; // after: just works! lol

I hope someone can answer this mystery.

Answer 6

I have faced this issue, my certificates where having private key but i was getting this error("Keyset does not exist")

Cause: Your web site is running under "Network services" account or having less privileges.

Solution: Change Application pool identity to "Local System", reset IIS and check again. If it starts working it is permission/Less privilege issue, you can impersonate then using other accounts too.