可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试):

问题:

We are hosting some websites on azure and some on a vm in azure. We want to reuse as much code as possible. In azure application services (websites) the installed certificates can be found in the CurrentUser/Personal store using this snippet:

using (var certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser))
{
    certStore.Open(OpenFlags.ReadOnly);
    var certCollection =
        certStore.Certificates.Find(
            X509FindType.FindByThumbprint,
            thumbprint,
            false);
}

I want to use the exact same snippet on IIS as well. The application pool identity is set to ApplicationPoolIdentity. I already tried to install the certificate in various places but I am not able to retrieve the desired certificate ... I have also tried to install the certificate in the LocalComputer/Personal store and grant permissions to the private key

Which Identity shall I use in the MMC Snap-In? I cannot find the ApplicationPoolIdentity user account there. There is only an Application Identity account which does not solve my issue ...

回答1:

For the time being I am creating a new user, adding the certificate to the users My store and using that user as app pool identity. Still, other solutions are very welcome!

回答2:

If you wanted to use the Local Computer store instead of the personal store of a named user you would need to use StoreLocation.LocalMachine in your call to the X509Store constructor, the Enum consists of two values and in your code above you're using the other - CurrentUser. If you are using the certificate's private key the IIS AppUser\ApplicationPoolIdentity user would need access to the relevant certificates in the Local Computer store, this can be granted by adding the DefaultAppPool user to the allowed users in the relevant certificate's private key permissions dialog. This is accessible from the certificate's context menu, under All Tasks and then Manage Private Keys.

I am not currently sure if it is possible to install certificates for the ApplicationPoolIdentity user, I'm currently trying to find the answer to this myself. According to Microsoft's IIS documentation the ApplicationPoolIdentity account is a virtual account created for the life of the pool, so I am starting to conclude it may not be possible to use the CurrentUser store for this type of user. If I find out definitively I will come back and update my answer.