SSL Webservice: Could not create SSL/TLS secure channel

My C# .net application is using a HTTPS webservice. As the cerificate now is about to expire, I'm trying to update it with a new one that I have been given (a .jks file that I've converted to .p12 using javasdks' keytool). I thought this would be easy, as I know how to do it, but it just won't cooperate.

What I've done so far:

• Imported certificate to CURRENT_USER\Personal
• Imported certificate to LOCAL_MACHINE\Personal
• Given the correct user (apppoolidentity) access to private key of certificate via the winhttpcertcfg tool.. Below is a list of rights for the certificate.

• using findprivatekey tool, I've also located the actual key file, and given the apppoolidentity access to it. (In desperation).

  C:\Program Files (x86)\Windows Resource Kits\Tools>winhttpcertcfg -l -c LOCAL_MACHINE\My -s "9000 - Blabla" Microsoft (R) WinHTTP Certificate Configuration Tool Copyright (C) Microsoft Corporation 2001.

  Matching certificate: CN=9000 - Blabla C=NO L="c/o Blabla AS, Blablaaddress" OU=957839827 OID.1.2.240.111111.1.9.8=12345678 OID.1.2.240.111111.1.9.2=Blabla Test O=BlaBla AS OU=MULTI-ALLOWED

  Additional accounts and groups with access to the private key include: BUILTIN\Administrators NT AUTHORITY\SYSTEM IIS APPPOOL\ASP.NET v4.0 BUILTIN\Users NT AUTHORITY\NETWORK SERVICE DIGITROLLDMZ\IIS_WPG

The url I'm accessing looks something like this:

https://test.blabla.com/blabla-5.0/services/Blabla?wsdl

... If I access it from the servers web-browser, I get to select certificate, I select the new one, and it says it's okay, green and SSL in order and all, but my application code, that looks like this:

public static blabla.service.NettforhandlerService getNettforhandlerService(string applicationPath) 
    {
    blabla.service.NettforhandlerService service = new blabla.service.NettforhandlerService();
    if (System.Configuration.ConfigurationManager.AppSettings["CertificateSerialNumber"] != null && System.Configuration.ConfigurationManager.AppSettings["CertificateSerialNumber"].Length > 0)
    {
        string serviceurl = service.Url;
        X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
        store.Open(OpenFlags.ReadOnly);
        X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindBySerialNumber, System.Configuration.ConfigurationManager.AppSettings["CertificateSerialNumber"], true);

        ServicePointManager.Expect100Continue = true;
        ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
        ServicePointManager.CertificatePolicy = new TrustHBSCertificatePolicy();

        service.ClientCertificates.Add(col[0]);

    }
    return service;
    }

Only outputs this error:

The request was aborted: Could not create SSL/TLS secure channel.

... I've added some trace/debug info to web.config, and what I found out from the error was this:

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 8e a6 72 c2 e1 67 16 e2 be be c3 30 89 8d bb 57 0b 48 f8 1d 09 b1 e3 26 42 c9 45 9e 02 b2 43 49 16 81 94 1b 18 d6 6d ef ....
System.Net Information: 0 : [15624] SecureChannel#32061089 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [15624] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Error: 0 : [15624] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net Information: 0 : [15624] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Error: 0 : [15624] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net.Sockets Verbose: 0 : [15624] Socket#38259205::Dispose()
System.Net Error: 0 : [15624] Exception in the HttpWebRequest#54558071:: - The request was aborted: Could not create SSL/TLS secure channel.
System.Net Error: 0 : [15624] Exception in the HttpWebRequest#54558071::GetResponse - The request was aborted: Could not create SSL/TLS secure channel.
System.Net Verbose: 0 : [15624] 

I know this looks like the correct user/identity hasn't been given the access to the certificate (from winhttpcertcfg), but I'm very sure that it has, that's why I'm at loss here,

hoping that someone with some serious https-certificate/web-service -skills might help me out here :-)

Thanks.

Regards, Jørgen E.

edit1: changed title to something more precise. edit2: New information:

In EventViewer/Windows Logs/Security there is an event "Audit Failure" connected to this:

Cryptographic operation.

Subject:
    Security ID:        IIS APPPOOL\ASP.NET v4.0
    Account Name:       ASP.NET v4.0
    Account Domain:     IIS APPPOOL
    Logon ID:       0x32498

Cryptographic Parameters:
    Provider Name:  Microsoft Software Key Storage Provider
    Algorithm Name: Not Available.
    Key Name:   {00E1A3F5-7400-41CA-8290-02983473AEAF}
    Key Type:   Machine key.

Cryptographic Operation:
    Operation:  Open Key.
    Return Code:    0x80090010

Hi, and thanks for responding :-) .. Ive now located a file in this folder: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys ... the filename is a23e3996925c33fec814f8ce35e4b1d9_57324829-0d1c-4ae4-ae60-1e2‌​849f7749a ... If I add READ access for applicationpoolidentity to this file, then it works !! .. But I am unable to identify what certificate this is, so that I can add access through proper means (winhttpcertcfg) :-( .. Anyone know how to identify this? Or perhaps just adding this access manually will suffice?

You can use a tool by Microsoft, FindPrivateKey.exe. Or just delete your key, write down the list of files present, and re-import the certificate/key (if you have the PFX), noting the new file created. Ref: msdn.microsoft.com/ru-ru/library/ms732026.aspx (FindPrivateKey)

FindPrivateKey and the technique you specified does the opposite of what I want to achieve :-) I know the filename of the machinekeys-file, and want to know what certificate this file is attached to, cause it ain't the certificate that i'm using, I've identified the certificate I'm using with findprivatekey.

Well, what is missing then? In the original question, you've said you know which certificate you're using for SSL. Can you please edit your question to clarify what's missing?

Well .. I knew what certificate I was using, and I could find the corresponding machinekeys-file, but there was ANOTHER machinekeys file that needed read access for "IIS APPPOOL\ASP.NET v4.0" for it to work.. (got it working by adding access to all files one by one manually) .. I don't know what this file is for, that's what I wanted to find out. Anyways, I got it working now, so no problem - thanks for helping :)

"you need to set permissions for your SSL certificate private key" - that helped me, have come back twice for it now :) Thanks