I get this question from time to time. Most often because you have to set ACLs on the private key file to allow access for worker process accounts.
There is no clean way to do that in managed code. The general procedure is:
- Select a certificate
- Create an RSACryptoServiceProvider object from the certificate’s PrivateKey property
- Retrieve the UniqueKeyContainerName property
- Search for this file name in the various locations where keys are stored. Thats under ApplicationData for user keys and CommonApplicationData for machine keys
If you only want to set ACLs, there are two tools that can do that for you:
- WinHttpCertCfg.exe
- The certificates tool included in WSE3
I wrote a little tool that does the above steps and displays the ACL editor via ShellExecute (with a little help of the WSE3 tool and Reflector). You could of course use this code to do your own ACLing with System.Security.AccessControl.
leastprivilege.com 