Private Key and Client Certificate for .NET Agents

The .NET Agent loads the client certificate and private key from your local computer's personal Certificate Store. The instrumented application identities need the ability to access the private key of the client certificate.

Import the Private Key into the Certificate Store

To import the private key into the Certificate Store: 

1. From your Microsoft Management Console (MMC), navigate to and expand Certificates (Local computer) > Personal > Certificates.
2. Right-click Certificates.
3. Expand All Tasks > Import.
4. From the Import panel, change the Filter to All or .pfx files.
5. Select the *.pfx file.
6. Enter your password and then complete the import procedure. 

By default, for IIS applications (Full Framework and .NET Core hosted in- and out-of-process), the IIS_IUSRS group must have read access to the private key. For standalone, self-hosted .NET Core, and IIS applications running on application pools using custom service accounts, the appropriate accounts and groups have read access to the private key.

To add read access to the private key:

1. From your Microsoft Management Console (MMC), navigate to and expand Certificates (Local computer) > Personal > Certificates.
2. Right-click Certificates.
3. Expand All Tasks > Manage Private Keys to display a popup.
4. Add the application identities or user groups (as needed) and then add read access to the private key.

Configure the Certificate Attribute

To use the certificate from the Certificate Store, you must add the certificate thumbprint as the certificate attribute.

To obtain the certificate thumbprint: 

1. From your Microsoft Management Console (MMC), navigate to and expand Certificates (Local computer) > Personal > Certificates.
2. Double-click the certificate.
3. From the Details tab, locate the thumbprint. 

4. Add the thumbprint as the certificate attribute: 

   Add to the config.xml file:

   <controller host="controller.host.name" port="443" ssl="true" enable_tls12="true">
      <application name="application.name" />
      <account name="account.name" password="account.password" />
      <ssl-mutual-auth enabled="true" certificate="DD805DF731D3A5D379D5330C8B149AF5FB17AD98"></ssl-mutual-auth>
    </controller>

   CODE

   Add to this file:

   {
    "controller": {
      "host": "controller.host.name",
      "port": 443,
      "ssl": true,
      "enable_tls12" : true,
      "account": "account.name",
      "password": "account.password",
      "ssl_mutual_auth":{
          "enabled": true,
          "certificate" : "DD805DF731D3A5D379D5330C8B149AF5FB17AD98"
      }
    }

   CODE