Sunday, February 13, 2011

Wcf: Keyset does not exist


When using X.509 certificates with Wcf the below error may appear:

System.Security.Cryptography.CryptographicException: Keyset does not exist
ArgumentException: The certificate 'CN=MyCert' must have a private key that is capable of key exchange. The process must have access rights for the private key.

95% of the time this means that the certificate which the server/client use either does not have a private key or the Wcf host process does not have permissions to the key.

No private key
This case applies when the certificate is expected to have a private key, e.g. the server private certificate when defined on the server side, and not the server public when defined on the client. To check if the certificate has a private key follow these steps:

1. start-->run-->"mmc"

2. file-->add remove snap in...

3. double click "certificates" in the list

4. Choose "My user account" if the certificate is located in the current user store, or "Computer account" if located on the local machine store. If you are unsure you can repeat the process twice each time with a different choice.

5. click Finish + Ok

6. now expand the tree to the correct store and when you see the certificate double click it. Then check if it has the little key icon on it. If it does not then you did not import it with its private key (or got the wrong cert).

No permissions
Even if the certificate has a private key, it still does not mean all users on the machine have access to it. One common gotcha is to give access to the admin (or logged in user) but forget that IIS usually runs under another user account. This may cause a code to work correctly under an interactive user but to fail under IIS or any windows service. One way to check if this is the case is אם give the user full permissions to the key (temporarily!).

How to give permissions to a key?
the hard way is using WinHttpCertCfg.exe (details ,download):

winhttpcertcfg -g -c LOCAL_MACHINE\My -s CN=WSE2QuickStartServer -a SomeUser

Another way is using some gui utility and WseCertificate2.exe is a good one:

1. install the Wse2 sdk

2. run C:\Program Files\Microsoft WSE\v2.0\Tools\Certificates\WseCertificate2.exe

3. choose the certificate using the location / store drop down lists and the "open certificate" button.

4. click the "view private key file properties..." button on the bottom.

5. depending on your OS version, grant permissions for the user you want.

If all this did not help ten make sure that when have you installed the certificate you checked the "mark this key as exportable" checkbox:

Sometimes these permissions are cached so you can also restart IIS (and maybe even the PC). And as always with certificate, when you're already pulling out your hair it's time to uninstall all certificates and start all over again.


What's next? get this blog rss updates or register for mail updates!


İsmail Kocacan said...

I am getting error "Private key does not exist or is not accessible"

That link

Yaron Naveh (MVP) said...

Most of the time this is a file permission issue.