Import certificate step - ApplicationPoolIdentity

kellyr's Avatar

kellyr

14 Feb, 2018 12:20 AM

When I try to use the Import Certificate feature where I need to add permissions to the application pool identity for my app
IIS APPPOOL\NameOfAppPool

It realizes the certificate is already installed, which is good, but then it cannot add permissions for the ApplicationPoolIdentity

It should be noted that this is not for IIS bindings.

I get the following error message:

Certificate already exists in store.
February 13th 2018 15:19:50Error
There was an error importing the certificate into the store
February 13th 2018 15:19:50Error
Could not set security on private-key
February 13th 2018 15:19:50Error
System.Exception
February 13th 2018 15:19:50Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(ICollection`1 accessRules, SafeCertContextHandle certificate)
February 13th 2018 15:19:50Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(String thumbprint, StoreLocation storeLocation, String storeName, ICollection`1 privateKeyAccessRules)
February 13th 2018 15:19:50Error
   at Calamari.Commands.ImportCertificateCommand.ImportCertificate(CalamariVariableDictionary variables)
February 13th 2018 15:19:50Error
   at Calamari.Commands.ImportCertificateCommand.Execute(String[] commandLineArguments)
February 13th 2018 15:19:50Error
   at Calamari.Program.Execute(String[] args)
February 13th 2018 15:19:50Error
--Inner Exception--
February 13th 2018 15:19:50Error
Some or all identity references could not be translated.
February 13th 2018 15:19:50Error
System.Security.Principal.IdentityNotMappedException
February 13th 2018 15:19:50Error
   at System.Security.Principal.NTAccount.Translate(IdentityReferenceCollection sourceAccounts, Type targetType, Boolean forceSuccess)
February 13th 2018 15:19:50Error
   at System.Security.Principal.NTAccount.Translate(Type targetType)
February 13th 2018 15:19:50Error
   at System.Security.AccessControl.CommonObjectSecurity.ModifyAccess(AccessControlModification modification, AccessRule rule, Boolean& modified)
February 13th 2018 15:19:50Error
   at System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(AccessRule rule)
February 13th 2018 15:19:50Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.SetCspPrivateKeySecurity(SafeCertContextHandle certificate, ICollection`1 accessRules)
February 13th 2018 15:19:50Error
   at Calamari.Integration.Certificates.WindowsX509CertificateStore.AddPrivateKeyAccessRules(ICollection`1 accessRules, SafeCertContextHandle certificate)
February 13th 2018 15:19:50Error
The remote script failed with exit code 100
February 13th 2018 15:47:15Info
Guidance received: Ignore

  1. Support Staff 1 Posted by Robert Wagner on 15 Feb, 2018 03:47 AM

    Robert Wagner's Avatar

    Hi,

    Thank you for getting in touch. The user account that the Server/Tentacle runs under must have write access to that certificate. It may not have this access if it was not the one that created the certificate.

    You need to change the permissions on the certificate's private key. You can do this through the Certificates snap-in, right clicking on the certificate and selecting All tasks -> Manage private keys...

    Robert W

  2. 2 Posted by kellyr on 16 Feb, 2018 05:16 PM

    kellyr's Avatar

    That worked great for me. Thanks

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac