[英]Azure Web Application new X509Certificate2() causing System.Security.Cryptography.CryptographicException: Access denied
Right now I am uploading a .pfx file, taking in a password and calling 现在我上传一个.pfx文件,输入密码并打电话
var cert = new X509Certificate2(fileData, password);
And storing things like the thumbprint, etc. I do not need to actually store this on the server, just validate that it is a valid cert and store some information. 并存储指纹等内容。我不需要将其实际存储在服务器上,只需验证它是否是有效的证书并存储一些信息。 On local this works (obviously I have better access to my key store) but when I put it up in azure I get the error:
在本地这个工作(显然我有更好的访问我的密钥库)但是当我把它放在天蓝色时我得到错误:
System.Security.Cryptography.CryptographicException: Access denied.
System.Security.Cryptography.CryptographicException:拒绝访问。
Is there any way to get this information sidestepping this or to use this method without getting an access denied? 有没有办法让这些信息回避这个或使用这种方法而不会被拒绝访问? I am not very good with certs, so let me know if you need more information.
我对证书不是很了解,所以如果您需要更多信息请告诉我。 Thank you.
谢谢。
When opening a PFX on Windows any private keys get written to disk. 在Windows上打开PFX时,任何私钥都会写入磁盘。 They will get deleted later (unless you specify PersistKeySet), but they do still have to be written (ish).
它们将在以后删除(除非您指定PersistKeySet),但它们仍然必须写入(ish)。
Where are they written? 他们在哪里写的?
X509KeyStorageFlags.MachineKeySet
: In the machine keystore, you need to be an administrator. X509KeyStorageFlags.MachineKeySet
:在计算机密钥库中,您需要是管理员。 X509KeyStorageFlags.UserKeySet
: In the user keystore, your user profile probably needs to exist/load. X509KeyStorageFlags.UserKeySet
:在用户密钥库中,您的用户配置文件可能需要存在/加载。 Given "Access Denied" I'd guess that you hit the case where the PFX itself specified the machine keystore, to resolve this you'd change your call to 鉴于“拒绝访问”,我猜你会遇到PFX本身指定机器密钥库的情况,为了解决这个问题你要改变你的呼叫
new X509Certificate2(fileData, password, X509KeyStorageFlags.UserKeySet)
and everything should work. 一切都应该有效。 If you specify UserKeySet and still get an error, that might a profile-loading problem.
如果您指定UserKeySet并仍然收到错误,那可能是配置文件加载问题。
There is an option to load a PFX without writing the private keys to disk, but it's not available in .NET Framework (though it was recently added to .NET Core). 可以选择在不将私钥写入磁盘的情况下加载PFX,但它在.NET Framework中不可用(尽管最近已添加到.NET Core中)。 If you really need it you could look into p/invoking PFXImportCertStore with the
PKCS12_NO_PERSIST_KEY
flag, then pass the resultant HCERTSTORE value to X509Store.ctor(IntPtr) and read your certificate(s) via the X509Store.Certificates
property. 如果您确实需要它,可以查看p /使用
PKCS12_NO_PERSIST_KEY
标志调用PFXImportCertStore ,然后将生成的HCERTSTORE值传递给X509Store.ctor(IntPtr)并通过X509Store.Certificates
属性读取您的证书。 Note, though, that most of .NET Framework won't understand that these cert objects have associated private keys, so they'll likely only behave as public-only certificate objects. 但请注意,大多数.NET Framework都不会理解这些证书对象具有关联的私钥,因此它们可能只会作为公共证书对象。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.