winhttpcertcfg giving access to IIS user in Windows 7

Question

I need to give access to the IIS user to a pfx certificate. The website is running under the App Pool under some user AppPoolUser. IIS automatically has the user name \"IIS

Answer 1

You can also do this from the mmc Certificates snap-in.

Just right-click the certificate in question, choose All Tasks -> Manage private keys..., and add the user you want (likely IIS APPPOOL\[your app pool]).

Answer 2

When you install the application is also adds the documentation:

C:\Program Files (x86)\Windows Resource Kits\Tools

The following examples show some of the ways in which the configuration tool can be used.

This command lists accounts that have access to the private key for the "MyCertificate" certificate in the "Root" certificate store of the LOCAL_MACHINE branch of the registry.

winhttpcertcfg -l -c LOCAL_MACHINE\Root -s MyCertificate

This command grants access to the private key of the "MyCertificate" certificate in the "My" certificate store for the TESTUSER account.

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER

This command imports a certificate and private key from a PFX file and extends private key access to another account.

winhttpcertcfg -i PFXFile -c LOCAL_MACHINE\My -a IWAM_TESTMACHINE

This command removes access to the private key for the IWAM_TESTMACHINE account with the specified certificate.

winhttpcertcfg -r -c LOCAL_MACHINE\Root -s MyCertificate -a IWAM_TESTMACHINE

Answer 3

To the original post, you just need to replace the domain "IIS APPPool" with your machine's local domain name - usually the same name as the machine. When WinHttpCertCfg runs, it will turn <MachineName>\<AppPoolUser> into <IIS APPPOOL>\<AppPoolUser>" and grant access to the certficate. If you want to work on a dev desktop with local IIS, this should solve your problem. ICACLS only works on servers (which you will ultimately be deploying to).

Answer 4

I know it's an old question, but I just had the same problem yesterday so I though I'd answer.

I had the same problem but with a certificate located in the LocalMachine -> TrustedPeople store...

You have to use icacls instead of WinHttpCertCfg, taken from this link.

Basically, it should look like this:

ICACLS <filename> /grant "IIS AppPool\DefaultAppPool":R

For the sake of completion, here how I needed to do it to access the "Trusted People" store. Taken in part from this link.

1. Use the FindPrivateKey tool from Microsoft to locate the actual file for the cert in the store. This tool must be compiled from the source code in .\WF_WCF_Samples\WCF\Setup\FindPrivateKey\CS from the Windows Communication Foundation (WCF) and Windows Workflow Foundation (WF) Samples for .NET Framework 4 download.

   FindPrivateKey.exe TrustedPeople LocalMachine -t "<thumbprint of the SSL cert>"
   

2. Use icacls on the file given by FindPrivateKey.

   icacls C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\<path to certificate> /grant "IIS AppPool\<your AppPool name>":R
   

Voilà!

Answer 5

What works from me is my staging site is in network service (app pool) (deployment) and in my local is "applicationpoolidentity" (working copy)

just change it to applicationpoolidentity and run your winhttpcertcfg command

Answer 6

Update/tl;dr — I've created the CertAdmin module for PowerShell Core to easily get and set certificate permissions.

I was having the same issue:

• WinHttpCertCfg seems to have been abandoned without a reasonable alternative.
• My Certificate Manager did not include a "Manage Private Keys" option as mentioned in this old MSDN blog post.
• Compiling FindPrivateKey is unreasonable overhead in a Windows environment.

Setting the permission for a cert involves granting the application pool the read right to the cert file.

This can be achieved using icacls.exe (the Windows Explorer security UI does not support application pools):

icacls C:\ProgramData\Microsoft\crypto\rsa\machinekeys\9876abcdeblahblahblah /grant "IIS AppPool\AppPoolName:R" 

Windows stores machine keys in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys , but the names of the files are not related to the certificate. The file name for each certificate can be obtained using this PowerShell code:

 ls Cert:\LocalMachine\TrustedPeople |
    select Subject,@{n='FileName';e={$_.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName}} |
    Format-List

(Change "TrustedPeople" if your cert is in another store.)

The name of the application pool can be obtained from the Application Pools node of the IIS Manager, or by running this PowerShell code:

Import-Module WebAdministration; ls IIS:\AppPools

This PowerShell 3 script will use Out-GridView (ogv) as a GUI pick list for the cert and the app pool, then grant the permission:

ipmo WebAdministration
$cert = (ls Cert:\LocalMachine\TrustedPeople |
    ogv -OutputMode Single -Title "Select Certificate").
    PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$app = (ls IIS:\AppPools |
    ogv -OutputMode Single -Title "Select App Pool").Name
icacls $env:ProgramData\Microsoft\crypto\rsa\machinekeys\$cert /grant "IIS AppPool\$($app):R"