You can set the permissions using the Certificates MMC snap-in. As an experiment, I suggest giving the "Everyone" group read permission. If that works, limit the permissions to only the account or group that your app runs under.
I've copied the following from the Certificate Guide.https://www.componentspace.com/Forums/8238/Certificate-GuidePrivate Key Permissions
Private keys are protected by permissions. To use the private key, a process must have read permission.
To set permissions, select the certificate and, from the main menu, select Action > All Tasks > Manage Private Keys.
A dialog showing the current permissions is displayed.
For applications hosted in IIS, it’s recommended that the IIS_IUSRS group be given read permission.
If the application is running under an application pool whose account is not in this group, the
permissions will have to be set explicitly for this account. The user or group to permit is dependent on the version of IIS and its configuration.