I have a self-hosted WCF application, which acts as a server and I want to install/deploy it on a Windows machine.
The application uses a self-signed certificate, which I created with makecert.exe. So the PFX, CER and PVK are there and available. Everything works fine.
At this point of time and only for testing, the application reads the certificate and the private key from an embedded resource. That means both are compiled into the application, which is a high security risk.
I already know, that the most common way to store this data, is the windows certificate store. And I also know, how to save and read from the windows certificate store.
But there is something, that I still do not get:
Where do I store the private key (PVK) for the certificate (CER), so that my application is able to use the CER?
I mean, if my application can read it, then anybody, who has access to this machine, can read it. Or is this wrong?
Do I have to take care myself or is there any "industry standard" for windows machines, to save and read the PVK?
Windows certificate store is the most common place to store certificates (i.e. CA) or certificates with private key (End entity).
If you store certificate ( with private key - PFX) in LocalMachine\My store then you can assign privileges who (what account) can access private key. It is done through certlm.msc tool. System account has access by default so any system service can use the private key.
There are other ways to store private key (like smartcard, HSM, net HSM etc.) and other ways to access private key (like PKCS#11).