We have an in-house application that requires the use of client SSL certificates to authenticate with a remote server (not under our control).
This has worked without problems before but on deploying to a new server, we're having problems getting Windows 2008 to use the certificate.
The certificate exists as a .pfx file that contains a private key. The same certificate exists in the LocalMachine store, again with its private key. We've ensured the one in the LocalMachine store is correct by creating a website in IIS against that certificate, so we're happy that the certificate, certificate chain, and private key is valid.
The PFX has been created by exporting from the Certificates MMC snap-in.
The issue is that we get the following in the system diagnostic logs that suggests it can't find the private key:
System.Net Information: 0 : [5988] SecureChannel#23264094 – Locating the private key for the certificate: [Subject]
CN=internal-server.company.com, OU=Servers, OU=Devices, O=org
[Issuer]
CN=SubCA02, OU=CA, o=org
[Serial Number]
407ABCDE
[Not Before]
31/10/2013 11:08:48 AM
[Not After]
31/10/2016 11:08:48 AM
[Thumbprint]
4354A34F6004F019E60F055979A47E50F62D1504
.
System.Net Information: 0 : [5988] SecureChannel#23264094 – Cannot find the certificate in either the LocalMachine store or the CurrentUser store.
I've validated the thumbprint, issuer and serial number listed in the log with the certificate in the LocalMachine store and these marry up.
From what I can tell with much searching, this appears to be a permissions issue. The user the application is running as has been granted access to the private key (Personal Certificates -> right click on the certificate -> all tasks -> Manage Private Keys), so I'm now at a loss as to which permission(s) it may be that is causing the issue.
UPDATES
We have added the application user to the 'Administrators' group, rebooted the server, and tried again. The issue remains.
We have enabled SChannel debugging (as per http://support.microsoft.com/kb/260729 ). The System event log reports the following warning:
The remote server has requested SSL client authentication but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request may succeed or fail depending on the servers policy settings.
No .NET access denied exception is raised; in essence SChannel is falling back to not providing a client certificate. This has been verified with a Wireshark trace that shows a certificate count of zero before the remote ends forces a TCP reset.