Summary:
When creating new certificate private keys, or when trying to download a .pfx with the private key included it is possible to get the error message "Unable to retrieve certificate from Secret Store". There are several reasons why this could happen but we have found that this is normally caused by the windows cryptographic service not being able to read or write from the temporary directory it uses to build the data for private keys.
Fix/Workaround:
There are a few one time fixes or changes that can made to get around this issue.
- First solution: Login locally to the server as the service account that the IIS application pools are running as. This will automatically build the file structure that includes the temporary folder used by the cryptographic services.
- Second solution: Enable the "Load User Profile" option in the advance settings for the application pool. Then rest IIS to load the new application pool.
More Information:
If the application pools are running as system account this is usually not an issue.
When this is a problem it is likely that the cryptographic services either does not have permissions to or that users temporary crypo folder has not been created.
The typical location for the the users crypto temp folder is C:\Users\<service account>\AppData\Roaming\Microsoft\Crypto\RSA\
Comments