index > Claims based access platform (CBA), code-named Geneva > Install Certificate to LocalMachine certification store from ASP.NET

Install Certificate to LocalMachine certification store from ASP.NET

We are using Geneva Framework Beta 2 to implement SSO. We want to provide a portal that allows user to upload their certificate and the ASP.NET portal will impersonate the request and install the certificate to certification store.

Is that possible to impersonate ASP.NET as a user that belongs to "Power Users" group to install certificate to certification store by using the code as shown below? My testing failed with the following approach but i may have missed out something?

//Create new X509 store called teststore from the local certificate store.
X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

store.Open(OpenFlags.MaxAllowed);
X509Certificate2 certificate = new X509Certificate2();

X509Certificate2 certificate1 = new X509Certificate2("c:\\temp\\localhost.cer");
store.Add(certificate1);

Pang Tat Sean

You need administrative privileges to do that - e.g. run the appool as SYSTEM (not recommended generally)

Why do you want to install the cert? Usually the thumbprint is enough to uniquely identify the certificate.

Dominick Baier | thinktecture | http://www.leastprivilege.com

Dominick Baier

HiDominick Baier

Just want to double confirm with you on one concept based on your reply.

When client's STS (IdP) sends the Security Token to the Relying Party's STS, the digital signature certificate is actually included in the security token and when Replying Party's STS verifies the signature, it actually extracts the certification from the security token? That is the reason why we don't really need to install client's certificates to our certification store and we can just compare the thumbprint (and maybe together with IssuerName and so on)?

Initially, i have some confusion of whether the security token does include the certificate in the security token sent from client's STS to Relying Party's STS.

Pang Tat Sean

Yes thats the case.

Dominick Baier | thinktecture | http://www.leastprivilege.com

Dominick Baier

You can use google to search for other answers

Custom Search

More Threads

• Technical Reason Why ClaimsAuthorizationModule specified in two places system.webServer and system.web

• How to define a desired life time in the security token request

• AzMan and Geneva

• using Geneva & Exchange Server

• Windows XP Support

• ACS + Live ID ?

• Cardspace in combination with smartcard keyset not found error

• Geneva Server with IAG & MOSS

• Get attributes from AD LDS in Geneva Server

• Re-authenticate user to get new token