Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Can I set security on private key programmatically

407 views
Skip to first unread message

Phil Lee

unread,
Feb 13, 2007, 10:22:37 AM2/13/07
to
Hi,

in the WSE3 setup we have a way of setting security (permitting ASPNET
account access for example) on a private key using a batch file and
WinHttpCertCfg something like this:

set WP_ACCOUNT=NETWORK SERVICE
(ver | findstr "5.1") && set WP_ACCOUNT=%COMPUTERNAME%\ASPNET
winhttpcertcfg -i private.pfx -p password -c LOCAL_MACHINE\My -a
"%WP_ACCOUNT%"

I would like to do this programmatically.
Does anyone know how? C# would be nice, but I'm betting this is a low level
COM interface.

Regards,
Phil

Steven Cheng[MSFT]

unread,
Feb 14, 2007, 2:51:36 AM2/14/07
to
Hello Phil,

From your description, you want to programmatically configure the private
key file(associated with a certain certificate)'s DACL access permission,
correct?

Based on my research, I think you have two possible approaches to do the
work in .NET code:

1. Use the Process class to programmatically call the "winhttpcertcfg.exe"
utility. This is a common approach which suits the scenario for calling any
commandline utility(such as devenv.exe, ping.exe ...). Here are some web
articles discussing on this:

http://www.codinghorror.com/blog/archives/000133.html

http://www.thescarms.com/dotnet/Process.asp


2. You can also directly locate the private key container's physical file
on file system(by looking up the Machine and user key store). The WSE
"WseCertificate3.exe" tool has used some managed code to locate the private
key file of a certain certificate. I've used reflector to pickup some code
from it. And use the .net's NTFS file AccessControl API to grant security,
e.g.


=========================================
private void btnGetKeyFile_Click(object sender, EventArgs e)
{
string subject = "WSE2QuickStartServer";

X509Store store = new X509Store(StoreName.AddressBook,
StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certs =
store.Certificates.Find(X509FindType.FindBySubjectName, subject, false);


X509Certificate2 wsecert = certs[0];

RSACryptoServiceProvider rsa = wsecert.PrivateKey as
RSACryptoServiceProvider;

if (rsa != null)
{

string keyfilepath =
FindKeyLocation(rsa.CspKeyContainerInfo.UniqueKeyContainerName);

FileInfo file = new FileInfo(keyfilepath + "\\" +
rsa.CspKeyContainerInfo.UniqueKeyContainerName);

FileSecurity fs = file.GetAccessControl();

NTAccount account = new NTAccount(@"machinename\username");
fs.AddAccessRule(new FileSystemAccessRule(account,
FileSystemRights.FullControl, AccessControlType.Allow));

file.SetAccessControl(fs);
}




store.Close();
}


private string FindKeyLocation(string keyFileName)
{
string text1 =
Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
string text2 = text1 + @"\Microsoft\Crypto\RSA\MachineKeys";
string[] textArray1 = Directory.GetFiles(text2, keyFileName);
if (textArray1.Length > 0)
{
return text2;
}
string text3 =
Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
string text4 = text3 + @"\Microsoft\Crypto\RSA\";
textArray1 = Directory.GetDirectories(text4);
if (textArray1.Length > 0)
{
foreach (string text5 in textArray1)
{
textArray1 = Directory.GetFiles(text5, keyFileName);
if (textArray1.Length != 0)
{
return text5;
}
}
}
return "Private key exists but is not accessible";
}
==================================

Hope this helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Phil Lee

unread,
Feb 14, 2007, 4:49:18 AM2/14/07
to
Steven,

that's what I wanted to know. Thanks.

Regards,
Phil Lee
"Steven Cheng[MSFT]" <stc...@online.microsoft.com> wrote in message
news:d7HUD0A...@TK2MSFTNGHUB02.phx.gbl...

Steven Cheng[MSFT]

unread,
Feb 14, 2007, 5:02:07 AM2/14/07
to
You're welcome.
0 new messages