I spent days searching for the solution to ” Exception Details: System.Security.Cryptography.CryptographicException: Keyset does not exist”

Finally stumbled on the solution that works for me.

The issue is that the private key must be installed and the correct permissions granted to the private key.

I followed the examples all over the internet and granted permissions to everything and still got the error message.

None of the other examples suggested installing the private certificate and granting it the permissions.

My example is Visual Studio 2010 and IIS 7.5. Here is the formula I used on my home computer using Windows 7, IIS 7.5 and my leased Server 2008 with my SSL certificate from GoDaddy.

Step 1:

In Visual Studio create a WCF application project:

Step 2:

• Obtain a private key from the SSL Certificate you want to use.
• Go to Run mmc when the console opens select File=>Add/Remove Snap in
• Select Certificates from available snap-ins
• click the Add > button
• select the Computer Account radio button.

In the certificates console:

Export a private key:

• In the left panel select the name of the Certificate you are using
• In the far right panel on More Actions click the arrow
• Expand All tasks
• Select Export..

• In the left panel select Trusted People
• In the far right panel on More Actions click the arrow
• Expand All tasks
• Select Import..

Follow the wizard to import the private key by browsing to the .pfx file you exported.

 

Step 3:

Grant permissions to the private key once it is imported.

• Locate the key in Personal Certificates
• In the right pane click the down arrow with the certificate name then click the right arrow to expand the More Actions menu
• Expand the All Tasks menu
• Select the Manage Private Keys…
• Grant Permissions to IUSR, IIS_IUSRS and Network Service

 

Congratulations! You now have a key set to secure your WCF Service.

Step 4:

Finally set the web.config settings.

 

<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name=”wsHttpEndpointBinding”>
<security>
<message clientCredentialType=”Certificate” />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration=”ServiceBehavior” name=”ValidateWCFSecure.Service”>
<endpoint address=”" binding=”wsHttpBinding”
bindingConfiguration=”wsHttpEndpointBinding”
name=”wsHttpEndpoint” contract=”ValidateWCFSecure.IService”>
<!–<identity>
<dns value=”" />
</identity>–>
</endpoint>
<endpoint address=”mex” binding=”mexHttpBinding” contract=”IMetadataExchange” />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name =”ServiceBehavior”>
<!– To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment –>
<serviceMetadata httpGetEnabled=”true”/>
<!– To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information –>
<serviceDebug includeExceptionDetailInFaults=”false”/>
<serviceCredentials>
<serviceCertificate findValue=”www.tjhaspdnn.info” storeName=”TrustedPeople” storeLocation =”LocalMachine” x509FindType=”FindBySubjectName”/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled=”true” />
</system.serviceModel>

Deploy your application to an IIS Application and now you should be able to browse to the Service.svc page.

You can now follow the example from MSDN at http://msdn.microsoft.com/en-us/library/ff648360.aspx that explains how to set up the client and other settings you need.