winhttpcfg can be used to solve your cert permission problem

To see the complete list of users who have access to the private key of a certain cert, for example, if i want to see the cert with subject name=localhost, and it is in my localmachine store and personal store, use

winhttpcertcfg -l -c LOCAL_MACHINE\My -s localhost

To give ASPNET permission to access the cert's private key, use the following command:

set WP_ACCOUNT=NETWORK SERVICE
(ver | findstr /L "5.1") && set WP_ACCOUNT=%COMPUTERNAME%\ASPNET
winhttpcertcfg -g -c LOCAL_MACHINE\My -s {cert subject name} -a "%WP_ACCOUNT%"

winhttpcertcfg is really useful!!!