Private Key Access Problems
   

When attempting to use edtFTPnet/PRO in a Windows service or Web application,  some users have been reporting exceptions related to access to the private key. This problem is caused by the very stringent security requirements Windows places on access to private keys and, as such, is actually a positive thing, though it makes it tricky for developers.

More particularly, it is caused by Windows not permitting the account that the system is running under permission to read the private key that has previously been loaded into a Windows Certificate store.

The solution involves creating the private key and certificate for the localMachine user instead of the user that the developer is logged in as. This may be done as follows:

1.Use MakeCert (see Note A below) to create a private key and a self-signed certificate, and place it directly into the localMachine certificate store.
2.Start up the Certificates MMC Snap-In for the localMachine user (see Note B below).
3.Export the certificate and private key as a single PFX file (see Note C below).
4.In the application code, use the SSLFTPCertificate.CreateFromPFX(string,string) method to read in the PFX file.
5.Use the Certificates MMC Snap-In to export the same certificate (without the key) in a format compatible with your FTP server.
6.Import the certificate into your FTP server's certificate store.

Note A

Use the following command (substituting the correct CN)

      makecert -r -pe -n "CN=www.yourwebserver.cm" -b 01/01/2000
      -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine
      -sky exchange -sy 12
      -sp "Microsoft RSA SChannel Cryptographic Provider"

The MakeCert is a part of the Platform SDK. Older versions of the MakeCert utility don't support the -pe option so make sure that you have the latest version.

Note B

To access the certificate MMC snap-in on Windows XP:

1.At a command prompt open MMC by typing "mmc <enter>".
2.Select "File | Add Remove Snap-in..."
3.Press "Add..."
4.Select "Certificates".
5.Select "Computer account".
6.Select "Local computer".
7.Press "Close"
8.Press "OK"
9.Open "Console Root | Certificates (Local Computer) | Personal | Certificates".

10.You should see the certificate you just created. Right-click on it and select "All tasks | Export...".


Note C

To export the private key and certificate using the certificate MMC snap-on:


1.Open "Console Root | Certificates (Local Computer) | Personal | Certificates".
2.You should see the certificate you just created. Right-click on it and select "All tasks | Export...".
3.Select "Yes, export the private key" and press Next.
4.Press Next again.
5.Type in a password twice and press Next.
6.Select a file-name and press Next.

7.Press "Finish".


Next: Obtaining Keys and Certificates