How to Grant IIS 7.5 access to a certificate in certificate store?

Question

In Windows 2003 it was simple to do and one could use the winhttpcertcfg.exe (download) to give "NETWORK SERVICE" account access to a certificate.

I'm now using Windows Server 2008 R2 with IIS 7.5 and I am unable to find where and how to set permissions access permissions to a certificate in the certificate store. This Post showed how to do it in Vista and that winhttpcertcfg features were added into the certificates mmc however it doesn't seem to work with imported certificates or doesn't work anymore on Server 2008 R2.

So does anyone have any idea on how give IIS 7.5 the correct permissions to read a certificate from the certificate store? And also what account from IIS 7.5 that needs the permission.

Answer 1

1. Create / Purchase certificate. Make sure it has a private key.
2. Import the certificate into the "Local Computer" account. Best to use Certificates MMC. Make sure to check "Allow private key to be exported"

3. Based upon which, IIS 7.5 Application Pool's identity use one of the following.

   • IIS 7.5 Website is running under ApplicationPoolIdentity. Using Certificates MMC, added "IIS AppPool\AppPoolName" to Full Trust on certificate in "Local Computer\Personal". Replace "AppPoolName" with the name of your application pool.
   • IIS 7.5 Website is running under NETWORK SERVICE. Using Certificates MMC, added "NETWORK SERVICE" to Full Trust on certificate in "Local Computer\Personal".
   • IIS 7.5 Website is running under MyIISUser local computer user account. Using Certificates MMC, added "MyIISUser" (a new local computer user account) to Full Trust on certificate in "Local Computer\Personal".

To add a user to Full Trust of a certificate. Right click the certificate -> All Tasks -> Manage Private Keys