Our Products:   CompleteFTP  edtFTPnet/Free  edtFTPnet/PRO  edtFTPj/Free  edtFTPj/PRO
0 votes
2.4k views
in .NET FTP by (51.1k points)
This message is actually a response to a message in this topic, but I am responding in a new topic so that it is easier for others to find it.

The question is about using edtFTPnet/PRO from a Windows Service or Web Application.

When attempting this people have been reporting exceptions related to access to the private key. This problem is caused by the very stringent security requirements Windows places on access to private keys and, as such, is actually a positive thing, though it makes it tricky for developers.

More particularly, it is caused by Windows not permitting the account that the system is running under permission to read the private key that has previously been loaded into a Windows Certificate store.

The solution involves creating the private key and certificate for the localMachine user instead of the user that the developer is logged in as. This may be done as follows:
  1. Use MakeCert (see Note A below) to create a private key and a self-signed certificate, and place it directly into the localMachine certificate store.
  2. Start up the Certificates MMC Snap-In for the localMachine user (see Note B below).
  3. Export the certificate and private key as a single PFX file (see Note C below).
  4. In the application code, use the new ProFTPCertificate.CreateFromPFX(string,string) method (see Note D below) to read in the PFX file.
  5. Use the Certificates MMC Snap-In to export the same certificate (without the key) in a format compatible with your FTP server.
  6. Import the certificate into your FTP server's certificate store.

Note A
Use the following command (obviously substituting the correct CN)
   makecert -r -pe -n "CN=www.yourwebserver.com" -b 01/01/2000 
          -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine 
          -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" 
               -sy 12

The MakeCert is a part of the Platform SDK. Older versions of the MakeCert utility don't support the -pe option so make sure that you have the latest version.

Note B
To access the certificate MMC snap-in on Windows XP:
  1. At a command prompt open MMC by typing "mmc <enter>".
  2. Select "File | Add Remove Snap-in..."
  3. Press "Add..."
  4. Select "Certificates".
  5. Select "Computer account".
  6. Select "Local computer".
  7. Press "Close"
  8. Press "OK"
  9. Open "Console Root | Certificates (Local Computer) | Personal | Certificates".
  10. You should see the certificate you just created. Right-click on it and select "All tasks | Export...".

Note C
To export the private key and certificate using the certificate MMC snap-on:
  1. Open "Console Root | Certificates (Local Computer) | Personal | Certificates".
  2. You should see the certificate you just created. Right-click on it and select "All tasks | Export...".
  3. Select "Yes, export the private key" and press Next.
  4. Press Next again.
  5. Type in a password twice and press Next.
  6. Select a file-name and press Next.
  7. Press "Finish".


Note D
The CreateFromPFX(string,string) method is new in version 1.0.5 of edtFTPnet/PRO. At the time of writing, this version is still in beta and can only be obtained by e-mailing support at enterprisedt dot com.

- Hans (EDT Support)

Please log in or register to answer this question.

Categories

...