There are two projects in one VS solution: client(wpf app) and а wcf service lib.
I'm using Message security and a custom AspNetMembershipPrivider on th server side to validate username and pass.
As i'm not using Windows security, I had to use certificate on server to establish secure chanell, and what i did:
- opened my local IIS manager and added self-signed certificate named likemy dev machine.
- checked that this certificate appeared in Certificates snap-in under Personal-Certificates
- configured wcf .config to point to that certificate.
- started my client app in VS (and VS also started wcfhost app for my wcf lib)
Everything was fine, wcfhost worked fine and my services worked ok until I rebooted. After reboot wcfhost stated complaining:
The certificate 'CN=xxx' must have a private key that is capable of key exchange. The process must have access rights for the private key. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist
Only thing what helpes is recreating my certificate, and again until reboot.
As i stated above my service is running under my user account(local admin), so I don't think that permissions to my c:\Users\xxx\AppData\Roaming\Microsoft\Crypto\RSA\ files is the issue.
The reason I'm using iis manager to create certificated and not makesert etc. is because I want tobe sure everything will be working on my shared osting account I have (there is on option in hosting panel of creating self-signed certificates).
Can anyone assist with this? Thanks
Certificates are pretty difficult from my experience (i'm sure others have strolled through it). Seeing as you've had it working, it seems like you're almost there, so my reccomendations revolve around setting certs up in a different way:
- Use SelfSSL.exe - available as part of the IIS6.0 resource kit with the following command: SelfSSL.exe /T /N:CN=localhost /V:999 /Q (you can replace localhost with servername). This will create the cert and install it in IIS valid for 999 days.
- Use winHttpCertCfg - available from Microsoft with the following command: winHTTPCertCfg.exe -g -c local_machine\my -s localhost -a SERVICEACCOUNT (replaceing localhost and SERVICEACCOUNT accordingly) to give the service account you're running it under access to the certs private key.
Let me know if you have any luck!
I solved the issue.
I'm running Vista on my dev box with UAC on. A week or so ago I changed the way I start Visual Studio and apparently I didn't notice that I was working in VS started without an option "Run as administrator". Thats why WcfHost lounched by VS also had limited rights. My bad, I rarely restart VS, it is common practice having a VS running for a week or two with for example unreal3 lunched simultaniosly.
By th way can anyone say will I have problems with access rights for the certificates on a shared hosting(IIS7) with Message security? or shall I target Transport security.
Running as administrator will overwhelm the protections on the certificate, which works. But the solution is to grant the username under which your server is running to the certificate. In the snap-in, right-click the certificate and take all tasks -> manage private keys -> Add a group or user name. For IIS, change the location to your local machine, and the user name is "IIS AppPool/xxxxx" where xxxxx is the name of the IIS application pool in which the application that wants to use the certificate is running. If you get it right the 'check' button will tell you so. I also fumbled through it in IIS Express but don't clearly remember what I did! I had to fire IIS Express up, find it in the task manager, and use the details column to see what username it was under. Hope this helps. Worked for me.
来源:https://stackoverflow.com/questions/752499/wcf-certificate-keyset-does-not-exist-problem-after-reboot