We have an in-house application that requires the use of client SSL certificates to authenticate with a remote server (not under our control).
This has worked without problems before but on deploying to a new server, we're having problems getting Windows 2008 to use the certificate.
The certificate exists as a .pfx file that contains a private key. The same certificate exists in the LocalMachine store, again with its private key. We've ensured the one in the LocalMachine store is correct by creating a website in IIS against that certificate, so we're happy that the certificate, certificate chain, and private key is valid.
The PFX has been created by exporting from the Certificates MMC snap-in.
The issue is that we get the following in the system diagnostic logs that suggests it can't find the private key:
System.Net Information: 0 : [5988] SecureChannel#23264094 – Locating the private key for the certificate: [Subject]
CN=internal-server.company.com, OU=Servers, OU=Devices, O=org
[Issuer]
CN=SubCA02, OU=CA, o=org
[Serial Number]
407ABCDE
[Not Before]
31/10/2013 11:08:48 AM
[Not After]
31/10/2016 11:08:48 AM
[Thumbprint]
4354A34F6004F019E60F055979A47E50F62D1504
.
System.Net Information: 0 : [5988] SecureChannel#23264094 – Cannot find the certificate in either the LocalMachine store or the CurrentUser store.
I've validated the thumbprint, issuer and serial number listed in the log with the certificate in the LocalMachine store and these marry up.
From what I can tell with much searching, this appears to be a permissions issue. The user the application is running as has been granted access to the private key (Personal Certificates - right click on the certificate - all tasks - Manage Private Keys), so I'm now at a loss as to which permission(s) it may be that is causing the issue.
