I was trying to get my hands on a enhanced WebAPI security. I decided to go with X.509 approach since it was the best approach to get started with. Everything was logically correct but the program could not decrypt the content (combination of username and password separated by pipe in my case). After debugging this was the exception that was being thrown

System.Security.Cryptography.CryptographicException: keyset does not exist

After digging in a lot I found that the user did not have enough permissions to access the folder which contains Private Keys. Because of which the program could not read Private Key and the exception was thrown.  Here is how I fixed it :

  1. Go to ” C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys” or follow step 2 if  you don’t know the Private Key container.
  2. (Skip this step if you know the Private Key container folder path) Find Private Key Path using this tool : Find Private Key Tool / Download : (Source : blog.rhysgoodwin.com)
    1. Type this command “FindPrivateKey My LocalMachine -n “{cert name}” -d”
    2. Copy the output path.
  3. The given output is the location of the generated Private Key. Go to that location (in my case : C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys).
  4. Go one folder up, right click on folder MachineKeys and click Properties.
  5. Go to Security tab -> Select User.
  6. Click on Edit permissions.
  7. Allow necessary controls (Read, Write and Modify in most cases).

This should fix the Keyset does not exist or Access denied exception.

Note : If you can not edit permissions of MachineKeys folder for specific user then locate to “\Crypto\RSA” (parent folder) and change the permissions of that folder.


  • Moti

    You r the best! tx