WCF Error : 'It is likely that certificate 'my cert' may not have a private key that


I have a WCF service I'm trying to host on our production web server (IIS6). I've set the web up and tied our cert to the web. When I try to browse to the service url, I receive the following error in the event log :


The exception message is: It is likely that certificate 'CN=<em>.mydomain, OU=Secure Link SSL Wildcard, OU=I.T., C=US' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.. ---> System.ArgumentException: It is likely that certificate 'CN=</em>.mydomain.com, OU=Secure Link SSL Wildcard, OU=I.T., O=mydomain, C=US' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. ---> System.Security.Cryptography.CryptographicException: The handle is invalid.


I've confirmed ASP.Net 1.1, 2, and 4 are all set to 'Allow' in 'Web Service Extensions'. I've also confirmed the cert is set up in iis and it shows 'You have a private key that corresponds to this certificate'. Also, Execute Permissions are set to 'Script and Executables'.


I had this problem, and it turned out that the account the service was running under did not have permissions to access the certificate's private key.

Here are the steps I used to solve it:

<ul><li>Start the Cetificate manager. Do this by running MMC, activate [File]-[Add/Remove Snap-in...], then add "Certificates", selecting "Computer Account" and "Local Computer" in the ensuing wizard dialogs.</li> <li>In the certificate manager, right-click on the relevant certificate and activate [All Tasks]-[Manage Private Keys]</li> <li>This gives you a permissions window. Click <strong><em>Add</em></strong></li> <li>Add the account name or group that this service runs under.</li> </ul>


Seems like your certificate was created for signatures and not key exchange, what I suppose to be normal for SSL certificates.

If you look at the <a href="http://msdn.microsoft.com/en-US/library/bfsktky3.aspx" rel="nofollow">makecert documentation</a>, you can see that the -sky switch lets you specify whether the certificate should be used for signatures or key exchange. You can try to create a self-signed certificate with type exchange and test whether the exception still occurs. Don't forget to put the self-signed certificate into the machine's trusted root certification authority folder in order to avoid exceptions that the certificate is not valid.


Ensure also that the account name or group that needs to access the certificate ALSO has access to the folder hierarchy that the certificate resides in. If your certificate is hiding in, for example, 'C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys', and the account that needs to access it is 'NETWORK SERVICE', then 'NETWORK SERVICE' needs access to that full path. Just assigning rights to the file is not enough.


  • Unable to edit ActionBar title from Fragment in ViewPager
  • TypeError: Class extends value undefined is not a function or null
  • display all elements in a nested cell array (with character entries)
  • Associating notes with different entities in a database
  • How do you check a randomly generated value from an array against user input in python?
  • Can not open created raster in R
  • Cloud Foundry Bind services/cups datasource number of connections
  • Checking the string for null or empty space
  • Passing data between Fragments in View Pager
  • MvvmCross - View not loaded
  • problem parsing with XMLReader (using ReadSubTree)
  • How to fix Invalid JWT with JHipster Registry [Docker]?
  • imacros: javascript i get www._undefined_.com error
  • Why do we have to add 'View' as parameter in onClick method and what it does?
  • Set a page title from a PartialView [duplicate]
  • A Back/Home Button [Java]
  • “RepeatForUnit” item missing in Calendar entry?
  • Google Maps V3 (PHP/MYSQL with custome infobox)
  • SQLITE multiple table join with a condition
  • Find string between two substrings AND between string and the end of file
  • MySQL - Filter records which date is biggest
  • Google Geocoding API limit exceeded on cell network, but not on wifi
  • configure openjpa on to spring boot
  • Using django-multiupload within a ModelForm
  • Get the UTM tags with Facebook Marketing API
  • Combine two jagged lists into one
  • How to reduce a DAG by replacing each longest non-branching path by an edge connecting the start and
  • Selenium Webdriver IE could not find element
  • Corda: How to implement hierarchical relationships between state data persisted to H2
  • Disabling swipe gesture in Windows Phone 8.1 pivot control
  • How to display content depending on dropdown menue user selection
  • Adding horizontal slider to QTableWidget
  • Why do you need 2 Javascript files for cross-platform Cordova plugin?
  • Arraylist of strings into one comma separated string
  • Ember.js + JQuery-UI Tooltip - Tooltip does not reflect the model / controller changes
  • Ruby regex for matching simpliest Ruby's regexes
  • using maven pom while creating jar:test-jar some times it says JAR will be empty - no content was ma
  • 'url' requires a non-empty first argument. The syntax changed in Django 1.5, see the docs
  • How to integrate angular2-material (alpha 8.2) with angular2-Quickstart app
  • Running R's aov() mixed effects model from Python using rpy2