Hi, I have migrated the server of the company to a windows 2008 server r2 standard, and got problemns with the an certificate. I install the pfx file in the local machine storage using MMC, mark the key as exportable, give permissions to the right users but any application can use the certificate to sign. The error in my C# applications is "keyset does not exist", and even the "FindPrivateKey.exe" can access the key to look to the location. So let's list the things that were alread done: - Tested in other machines with other operating systens (windows 7, XP, 2003 and Vista 32 and 64 bits), it seens related with the 2008 r2 system. - Installed the certificate in the local machine store, via MMC and i even wrote an C# app to import to test, it imports OK, the key is there (when you look the properties via MMC) , and everything seens is ok with the certificate (expiration date, certification path, etc). - Gave permissions to the users (actually i gave to everyone to exclude this possibility), via MMC and via filesystem, one thing i noticed is that the key is stored in 2 locations in the windows server r2, "C:\ProgramData\Microsoft\Crypto\Keys" and "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys", the MMC gives permissions to the file located in "C:\ProgramData\Microsoft\Crypto\Keys", i gave permission to the other manyally to no sucess, i even deleted the key in "C:\ProgramData\Microsoft\Crypto\Keys" becouse i read somewhere that if the system didin't find it uses the other one. no sucess too. - I tryied to use the "FindPrivateKey.exe" to find the key, but it cannot acess the private key, i wrote an app to get it, the same error "keyset does not exists". - Tyied to download and intall an hotfix, but even saying that the hotfix is for the 2008 r2, it does not recognise the system and says i cannot install , the number of the knoledge base to the hotfix is 977222, i don'tthink it will solve, but i am out of options. One thing i noticed is that the key of the certificate is not exportable, if i install it marking the key as exportable and click to export, i don't have the option to export the key. if i am to guess where the problem is i would say it is some system policy that stops that don't allow the key to be exportable, i looked in the "Local security policy" and found nothing related. the machine is not on a domain. one more thing that can help, the certutil info on the certificate: ================ Certificate 0 ================ Serial Number: 28cd43e5c90f06b8d357eb22dc88a67f Issuer: CN=AC Instituto Fenacon RFB G2, OU=Secretaria da Receita Federal do Bra il - RFB, O=ICP-Brasil, C=BR NotBefore: 16/01/2012 21:00 NotAfter: 15/01/2013 20:59 Subject: CN=DFE TECNOLOGIA LTDA:05387893000193, OU=Autenticado por AR Sescon Gr nde Florianopolis, OU=RFB e-CNPJ A1, OU=Secretaria da Receita Federal do Brasil - RFB, L=SAO JOSE, S=SC, O=ICP-Brasil, C=BR Non-root Certificate Template: Cert Hash(sha1): 84 7b 71 fc 0a ee fb 8b 31 2f 3e ba 3d 6b e4 7d c3 d0 51 38 Key Container = {261F14CF-A27E-4832-A46A-3F23011553E9} Provider = Microsoft Enhanced Cryptographic Provider v1.0 Private key is NOT exportable Signature test passed CertUtil: -store command completed successfully. As you can see it says the Key is not exportable, but i checked the box to make it exportable when i was importing

Plying with the certutil i found a more detailed info and this part seens very odd Export Policy = 1 NCRYPT_ALLOW_EXPORT_FLAG -- 1 Key Usage = 2 NCRYPT_ALLOW_SIGNING_FLAG -- 2 D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA) Allow Write NT AUTHORITY\SYSTEM Allow Write BUILTIN\Administrators Private key is NOT exportable Signature test passed CertUtil: -store command completed successfully. I Looked at the documentation and NCRYPT_ALLOW_EXPORT_FLAG = 1 means the key is marked as exportable, yet it ends with the information "Private key is NOT exportable". This seens to be the problem... ...is this a bug on windows 2008 r2 ?

It seens i will not get an answer. Well i found an workaround for this bug if anyone is having the same problem You have to install the certificate in the local user storage too, it seens that in the 2008 r2 standart server when you try to get the privatekey of a certificate installed in the local machine storage it maps to the path of the key of the certificate installed in the local user storage, and if you don't have it you get the "keyset does not exist" error. After installing it in the local user store i could use the one in the local machine storage without problems... i could export via MMC, use it in applications, etc. The only problem is that you have to do it for every user that will access the certificate (in my case the app pool one and the service one), that in the end is the only reason for you to install it in the local machine storage in the first place... You can install and use the certificate in the local user store too, but i will not do this way as it is a expecific bug of this operating system, in the windows 7, and other systens it works flawless. PS: To install and use the certificate in an IIS APPPOOL\User i did an asp.net page to import the certificate into his local storage, and you need to change the options in the app pool to load the user profile. I don't know if there is another way of doing it.