Tuesday, September 30, 2008

How to check the permission of a certificate?

When I hook up my portal with the WCF service, I got "Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindByThumbprint', FindValue 'b55d97f9f04d6115d138416b65f9b4100884339f'. "

I suspect maybe I have not grant the permission of the client certificate to the right account(s).

To check which accounts have been granted access to a cert, use:
winhttpcertcfg.exe -l -c Current_User\my -s "Issued to"

I used below command to grant permission to iis related accounts, use:
winhttpcertcfg.exe -g -c Current_User\my -s "Issued to" -a "ASPNET"
winhttpcertcfg.exe -g -c Current_User\my -s "Issued to" -a "IIS_WPG"

A lesson is "Issued to" (which is subject actually) will find the first cert matching(or including) the searching keyword. If you have two certs sharing the same "Issued to", then you have no way to use winhttpcertcfg to check the permission of the second cert.
So remember when you apply cert, pay attention to giving a good subject.

Granting these permissions did not resolve the issue described at the beginning of this article. I need to investigate further.

No comments: