问题
I'm developing WCF service with Transport Security hosted on IIS 7.5 under Windows 2008R2. I have a certificate, generated in IIS 7.5 which is stored in Local folder.
When I use BasicHttpBinding or WSHttpBinding with Transport Security - everything works fine. But when I change it to NetTcp I get an exception :
CryptographicException 'Keyset does not exist'.
After a bit of googling I found out that the problem can be because my NETSERVICE IIS account doesn't have premission to the private key of my certificate.
The solution could be to set the rights to accesss in MMC by right-clicking on my certificate and selecting "MANAGE PRIVATE KEYS" option. But there is no such option in the select menu!!! The Certificate was created under administrator account and where I open it - it says, that it has private key. What I'm I doing wrong?
回答1:
Go to server -> click Start -> Run -> type mmc -> enter -> select Certificates snap-in with Local Computer option -> Go to Console Root-> Certificates-> Personal-> Certificates-> Select a cert-> Right click-> Go to All tasks-> Manage Private Keys-> Add permissions
回答2:
Manage Private Keys option was missing when I first tried adding the certificates. Finally corrected it by following two steps.
Ran MMC as an administrator. File-> Add or remove Snap-ins-> Select Certificates -> Click on Add button.This will open a dialog. This snap-in will always manage certificate for : choose Computer account. Select the computer you want this snap-in to manage : choose Local computer. Click Finish. Click ok.
When you import the certificates(All tasks -> Import) in the Personal Folder, Make sure you are importing the .pfx file and NOT the .cer file.
回答3:
I had this same problem (Manage Private Keys option missing). In order to get it to appear I had to add the Certificates snap-in using the "Computer account" option instead of the default "My user account"
回答4:
In Windows 10 1809, it seems that the Manage Private Keys option is available only to certificates in the Personal store. The workaround is to drag and drop the certificate there, add permissions as needed and drag it back to where you need it.
回答5:
There can be one other problem, so I will mention it. Except -pe argument when creating a certificate using makecert.exe, be sure you are importing the .pfx file, not the .cer. If there is not a .pfx file, use an additional tool such as pvk2pfx.exe to created.
回答6:
The Manage Private Keys Option is only available for certificates with an exportable private key
In my case, I experienced this problem despite configuring the Certificates snap-in to access the COMPUTER account. Further, the suggestion to get a .PFX certificate in this answer isn't an option for me.
I solved the problem by specifying that the private key be exportable when creating the certificate request (which I'm doing via the Certificates MMC snap-in):
Even though the certificate I got back from the public CA was a .CER file, the Manage Private Keys menu option was available for it. I don't know a lot about certificates, but I conclude that the menu option only appears when the private key can be exported. In light of this answer, perhaps certificates in the .PFX format always allow this to be done. Nonetheless, it's good to know it's possible for other certificate formats.
回答7:
- Open the Command Prompt (Run as Administrator)
- Enter and execute command,
certutil -repairstore my "thumbprint" (replace thumbprint with the 32 characters) - If succesful, you will recieve message,
certUtil: -repairstore command completed successfully.
来源:https://stackoverflow.com/questions/14337947/manage-private-keys-option-missing