I am using Bouncy Castle (C#) to generate self-signed X.509 certificates for a WCF web-service.
I have a use case where certificates are created by an installer running in a user account (eg. System Administrator Account). The installer will also create the Windows user account for the service (eg. My Service Account) which will then use those certificates.
I would not like to make the certificate available to all users on the machine/domain, but only to the authorized Service Account (My Service Account).
In such a case it seems neither StoreLocation.CurrentUser nor StoreLocation.LocalMachine will be able to achieve this?
What would be a reasonable way to solve this use case?
The only way you'll be able to access the certificate from any account is to create them in the LocalMachine store; not if you put them in a specific user store. Notice that certificates don't have ACLs, per-se. Private keys, however, do.
So the most common way to do this is to store the certificate itself on the LocalMachine store, and then secure the private keys with the right ACLs, granting permissions only to those accounts that actually should have access to the private key (which can certainly be a virtual service account such as NT Service\<ServiceName>).
In modern versions of Windows, you should be able to adjust the permissions on the private key directly from the certificate management MMC snap-in, by using the All Tasks -> Manage Private Keys option on the context menu for the certificate.