Tuesday, September 30, 2008

How to check the permission of a certificate?

When I hook up my portal with the WCF service, I got "Cannot find the X.509 certificate using the following search criteria: StoreName 'My', StoreLocation 'CurrentUser', FindType 'FindByThumbprint', FindValue 'b55d97f9f04d6115d138416b65f9b4100884339f'. "

I suspect maybe I have not grant the permission of the client certificate to the right account(s).

To check which accounts have been granted access to a cert, use:
winhttpcertcfg.exe -l -c Current_User\my -s "Issued to"

I used below command to grant permission to iis related accounts, use:
winhttpcertcfg.exe -g -c Current_User\my -s "Issued to" -a "ASPNET"
winhttpcertcfg.exe -g -c Current_User\my -s "Issued to" -a "IIS_WPG"

A lesson is "Issued to" (which is subject actually) will find the first cert matching(or including) the searching keyword. If you have two certs sharing the same "Issued to", then you have no way to use winhttpcertcfg to check the permission of the second cert.
So remember when you apply cert, pay attention to giving a good subject.

Granting these permissions did not resolve the issue described at the beginning of this article. I need to investigate further.

1 comment:

mary Brown said...

Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Training in Chennai . or Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry. ES6 Training in Chennai