Trouble with certificates on deploy

Aug 2, 2013 at 4:18 PM
Edited Aug 2, 2013 at 4:19 PM
We've made an intranet app using MVC 4 and IIS 7.5. Everything runs fine on our dev boxes, but when we deploy it to our staging server, it throws an error when we try to encrypt anything. The error seems to be that it can't find the certificate, and subsequently cannot encrypt. We have an RSA based certificate with the correct FriendlyName, but our application never finds it.

Since we're not really running IIS under an actual user account, under which certificate store would we put the cert so the application can find it? We're looking at modifying the source to specify the file directly (which seems to be fairly painless) but I'd rather not go that route unless we have to.
Aug 7, 2013 at 1:06 AM
Yes, check out the certificate store code near the top of SecretKeyStorage.cs. The code is expecting to find the certificate in the MY store of the current user. So the relevant question is under what account are you running the IIS worker process for your app on the staging server?

In a typical deployment for us, when an existing enterprise PKI is available, we take the dependency on a user certificate because it gives us a relatively painless way to implement key archival (i.e., just a checkbox on the certificate template). So in that case the app is configured to run as a domain user.

Absent that, keeping the certificate in the computer MY store, and modifying the above code accordingly, probably makes more sense.