Search | Directories | Reference Tools
UW Home > UWIN > Computing and Networking > Identity and Access Management > ASTRA 
Description
TSAR
User docs 
Developer docs 
Login to ASTRA
Login to ASTRA (Training Only)
Contact us

ASTRA

How-to: Configure X.509 certificate for use by Microsoft ASP.NET web application

Purpose of Document: In order for an ASP.NET web application to sign requests with an X.509 certificate, the process executing the request needs access to the private key of the certificate. This applies to web service requests as well as LDAP requests.

The default identities of the process that executes requests for a web application are

  • for IIS 5, ASPNET account
  • for IIS 6, Network Service account

Whichever the process identity is, it must be given Full Control access to the private key of the certificate. This can be done with the winhttpcertcfg tool, available as a download from Microsoft.

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a ASPNET

Alternatively, you can navigate to the machinekeys folder in Windows Explorer, determine the correct private key (most likely by timestamp), and give the appropriate process account access to the private key.

In addition to the process account, if you enable impersonation, you will also need to give the impersonated account access to the private key. For instance, if you use the "Anonymous Account", you will need to perform the same steps as you did with the process account.