Private Key and Client Certificate for .NET Agents

To enable mutual SSL authentication, the .NET Agent loads the client certificate and private key from your local computer's personal Certificate Store. The instrumented application identities need the ability to access the private key of the client certificate.

Import the Private Key into the Certificate Store

To import the private key into the Certificate Store:

  1. From your Microsoft Management Console (MMC), navigate to and expand Certificates (Local computer) > Personal > Certificates.
  2. Right-click Certificates.
  3. Expand All Tasks > Import.
  4. From the Import panel, change the Filter to All or .pfxfiles.
  5. Select the *.pfx file.
  6. Enter your password and then complete the import procedure.

By default, for IIS applications (Full Framework and .NET Core hosted in- and out-of-process), the IIS_IUSRS

To add read access to the private key:

By default, for IIS applications (Full Framework and .NET Core hosted in- and out-of-process), the IIS_IUSRSTo add read access to the private key:

  1. From your Microsoft Management Console (MMC), navigate to and expand Certificates (Local computer) > Personal > Certificates.
  2. Right-click Certificates.
  3. Expand All Tasks > Manage Private Keys to display a popup.
  4. Add the application identities or user groups (as needed) and then add read access to the private key.

Configure the Certificate Attribute

To use the certificate from the Certificate Store, you must add the certificate thumbprint as the certificate

To obtain the certificate thumbprint:


  1. From your Microsoft Management Console (MMC), navigate to and expand Certificates (Local computer) > Personal > Certificates.
  2. Double-click the certificate.
  3. From the Details tab, locate the thumbprint.
  4. Add the thumbprint as the certificate
    For MSI Agents

    Add to the config.xml

    <controller host="controller.host.name" port="443" ssl="true" enable_tls12="true">
<application name="application.name" />
<account name="account.name" password="account.password" />
<ssl-mutual-auth enabled="true" certificate="certificate.thumbprint"></ssl-mutual-auth>
</controller>
    For Standalone Agents

    Add to this file:

    {
"controller": {
"host": "controller.host.name",
"port": 443,
"ssl": true,
"enable_tls12" : true,
"account": "account.name",
"password": "account.password",
"ssl_mutual_auth":{
"enabled": true,
"certificate" : "certificate.thumbprint"
}
}
    For Azure App Services (Azure PaaS)

    Add to this file:

    {
"controller": {
"host": "controller.host.name",
"port": 443,
"ssl": true,
"enable_tls12" : true,
"account": "account.name",
"password": "account.password",
"ssl_mutual_auth":{
"enabled": true,
"certificate" : "certificate.thumbprint"
}
}

    For Azure App Services, you can import the client certificate to Azure by using the Azure portal: WEBSITE_LOAD_CERTIFICATESAzure portalFor the imported certificate to be available for client authentication, you must set the thumbprint of the client certificate in the