Fighting with certificates: Access was not successfully obtained for the private key

I work in company with many servers and Pcs for developers. Servers are win2003, PC developers Windows XP.

In a server Win2003 named preiis01, in preproduction environment, other people in company install a client certificate using any other user (unknown user for me) for logging in server preiis01.

I use my user "domainCompany\myuser" for log in server preiis01 (using Terminal Server, Remote Desktop for Windows XP).

in preiis01,

I execute mmc -> Snap in -> Certificates for Local Machine. In node -> Personal -> Certificates, I have seen the client certificate:

Issued To ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

Issued By FNMT Clase 2 CA

In properties of certificate, I have seen thumbprint: "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13"

Now, I execute this commands:

1.) FindPrivateKey My LocalMachine -n "CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" -a

and I get this error:

FindPrivateKey failed for the following reason: No certificates with key 'CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1 ' found in the store.

2.) FindPrivateKey My LocalMachine -t "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13" –c

and I get this:

*FindPrivateKey helps user to find the location of the Private Key file of a X.50 9 Certificate.

Usage: FindPrivateKey [{ {-n } | {-t } } [-f | -d | -a]]

   <subjectName> subject name of the certificate

   <thumbprint>  thumbprint of the certificate (use certmgr.exe to get it)

   -f            output file name only

   -d            output directory only

   -a            output absolute file name

e.g. FindPrivateKey My CurrentUser -n "CN=John Doe"

e.g. FindPrivateKey My LocalMachine -t "03 33 98 63 d0 47 e7 48 71 33 62 64 76 5 c 4c 9d 42 1d 6b 52" -c*

3.) winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1"

and I get this error:

Microsoft (R) WinHTTP Certificate Configuration Tool Copyright (C) Microsoft Corporation 2001. Matching certificate:

CN=ENTIDAD COMPANY INS开发者_开发技巧URE SA - CIF A93 - NOMBRE SURNAME1 NAME1

OU=700012436

OU=FNMT Clase 2 CA

O=FNMT

C=ES

Error:

Access was not successfully obtained for the private key. This can only be done by the user who installed the certificate.

Access was not successfully obtained for the private key.

Any suggestions ??

Updated: by Marcel Roma (social msdn forums)

Most likely the certificate was installed by some other person in your company (e.g. administrator). Only that person has access to the private key of the certificate. Download the FindPrivateKey tool, ask the administrator to execute it to find out the directory where the private key file was saved, and let him set the needed rights so that the process can access the file.

There are also some reports about Windows XP failing to extract the private key from the file due to encoding issues:

http://blogs.msdn.com/b/alejacma/archive/2010/01/11/winhttpcertcfg-tool-cannot-access-private-key-of-a-certificate.aspx

Update:

User in domain "domainCompany\Pre_Certificado" install Certificate in Store Local Machine.

domainCompany\Pre_Certificado is Administrator, in IIS_WPG group, has Local Policies: “Log on as Service“

I configure AppPool Identity in IIS 6.0 for : domainCompany\Pre_Certificado

ASP.NET application executes using the identity :: domainCompany\Pre_Certificado

I recycle AppPool and execute application, I get System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption

If I test again, log in session in server IIS, using domainCompany\Pre_Certificado user, I call page in ASP.NET application and all is OK.

(note: log in server IIS using Terminal Server)

But if log off session in server IIS (user: domainCompany\Pre_Certificado), I get the same error:

System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption

Any suggestions ??

Log in as the user that installed the certificate (or a local administrator). Launch the FindPrivateKey tool. Go to security pane and add your own user to the list. You can now login in as yourself and control the certificate's private key.