Client Certificate error – Keyset does not exist

Written by stevey on September 8th, 2011

A web client with Certificate called a WCF service hosted in a local machine (in development phase), secured with server-side certificate (SSL or Https:) and returned this overly simple but convoluted error, “Keyset does not exist“. What’s going on?

Well, after some readings returned from Google search, especially grateful to this two posts and, this turned out to be that the “Network Service” account, which was used by the WCF service to access the resource at hosting server (even though it is just my local machine, a Windows 2003 server) did not have any permission to the private key stored in the server. That’s why the name “Keyset” – since the web client certificate only sent in a Public key and it has to matched the private key stored in the web server. So, my goal was to find the private key for this client certificate and give read permission to the “Network Service” account.

Finding the FindPrivateKey.exe was a challenge on it self, as it turned out. There might be other way to get it, but I ended up having to download a 17 MB WCF_WF sample codes package, opened the solution FindPrivateKey.sln in somewhere deep in the package and compiled it, then ran the executable using “thumbprint” switch, as shown below:

DirectoryWhereFileIsLocated>FindPrivateKey My LocalMachine -t “af 50 4e f4 3b 57 ea f0 26 a8 b0 35 bf a7 0a a7 87 ef 10 5b” -a

And it returned:
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Ma

So I went into that private key file and grant read permission to “Network Service” account; after that, I went back to the web client application, and assign the client certificate using X509FindType.FindByThumbprint option (use the thumbprint value above af 50 4e f4 3b 57 ea f0 26 a8 b0 35 bf a7 0a a7 87 ef 10 5b without spaces). Now the error disappeared and the WCF service proxy class returned to working condition.


Leave a Comment