Access to local machine store

[Guest Niels Thrane]

Hi,

 

I have payment system where my web server receives credit card numbers

securely (via HTTPS) from customers. In order to settle the amount that

the customer owes I have to make an SSL connection to a payment gateway.

That second SSL connection needs to be two-way authenticated (the remote

server needs to know my identity).

 

I'm using the following C# code to do that:

 

X509Store store = new X509Store(StoreLocation.LocalMachine);

store.Open(OpenFlags.OpenExistingOnly);

X509Certificate2Collection validCerts =

store.Certificates.Find(X509FindType.FindBySubjectName, "mycertname", true);

//ssl is my SslStream object

ssl.AuthenticateAsClient("server-cert-name", validCerts,

System.Security.Authentication.SslProtocols.Ssl3, true);

 

This seems to work just fine when I test it under my (admin) account.

However, it doesn't work when I run the code under IIS. The error I'm

getting is "The credentials supplied to the package were not

recognized". I guess the reason is that one needs admin rights to access

the local machine store where my SSL certificate is stored. I don't want

to run IIS under an admin account so the best solution would probably be

to allow the "Network Service" account access to the certificate.

 

I have found two ways of doing that: I can use the winhttpcertcfg tool

OR I can find the certificate file in the file system and grant read

access to "network service". I can't install winhttpcertcfg on the

system for regulatory reasons and messing with the (undocumented?) file

structure seems like a major hack.

 

 

In short, what is the best way of allowing my code to authenticate

itself as coming from my machine while running under the "network

service" account ?

 

Best regards,

 

Niels