Azure Web应用程序新X509Certificate2()导致System.Security.Cryptography.CryptographicException:访问被拒绝
[英]Azure Web Application new X509Certificate2() causing System.Security.Cryptography.CryptographicException: Access denied
问题描述
Right now I am uploading a .pfx file, taking in a password and calling 
现在我上传一个.pfx文件,输入密码并打电话
var cert = new X509Certificate2(fileData, password);
And storing things like the thumbprint, etc. I do not need to actually store this on the server, just validate that it is a valid cert and store some information. 并存储指纹等内容。我不需要将其实际存储在服务器上,只需验证它是否是有效的证书并存储一些信息。 On local this works (obviously I have better access to my key store) but when I put it up in azure I get the error: 在本地这个工作(显然我有更好的访问我的密钥库)但是当我把它放在天蓝色时我得到错误:
System.Security.Cryptography.CryptographicException: Access denied.
Is there any way to get this information sidestepping this or to use this method without getting an access denied? 有没有办法让这些信息回避这个或使用这种方法而不会被拒绝访问? I am not very good with certs, so let me know if you need more information. 我对证书不是很了解,所以如果您需要更多信息请告诉我。 Thank you. 谢谢。
1 个解决方案
解决方案1
3 已采纳 2016-11-11 03:51:58
When opening a PFX on Windows any private keys get written to disk. 在Windows上打开PFX时,任何私钥都会写入磁盘。 They will get deleted later (unless you specify PersistKeySet), but they do still have to be written (ish). 它们将在以后删除(除非您指定PersistKeySet),但它们仍然必须写入(ish)。
Where are they written? 他们在哪里写的?
- If you specify
X509KeyStorageFlags.MachineKeySet: In the machine keystore, you need to be an administrator.如果指定X509KeyStorageFlags.MachineKeySet:在计算机密钥库中,您需要是管理员。 - If you specify
X509KeyStorageFlags.UserKeySet: In the user keystore, your user profile probably needs to exist/load.如果指定X509KeyStorageFlags.UserKeySet:在用户密钥库中,您的用户配置文件可能需要存在/加载。 - If you don't specify either: 如果您未指定:
- If the PFX itself has encoded that the key belongs in the machine key set, then the machine keystore (admin required). 如果PFX 本身编码了密钥属于机器密钥集,那么机器密钥库(需要管理员)。
- Otherwise the user keystore (profile probably required). 否则用户密钥库(可能需要配置文件)。
- If the PFX itself has encoded that the key belongs in the machine key set, then the machine keystore (admin required).
Given "Access Denied" I'd guess that you hit the case where the PFX itself specified the machine keystore, to resolve this you'd change your call to 鉴于“拒绝访问”,我猜你会遇到PFX本身指定机器密钥库的情况,为了解决这个问题你要改变你的呼叫
new X509Certificate2(fileData, password, X509KeyStorageFlags.UserKeySet)
and everything should work. 一切都应该有效。 If you specify UserKeySet and still get an error, that might a profile-loading problem. 如果您指定UserKeySet并仍然收到错误,那可能是配置文件加载问题。
There is an option to load a PFX without writing the private keys to disk, but it's not available in .NET Framework (though it was recently added to .NET Core). 可以选择在不将私钥写入磁盘的情况下加载PFX,但它在.NET Framework中不可用(尽管最近已添加到.NET Core中)。 If you really need it you could look into p/invoking PFXImportCertStore with the PKCS12_NO_PERSIST_KEY flag, then pass the resultant HCERTSTORE value to X509Store.ctor(IntPtr) and read your certificate(s) via the X509Store.Certificates property. 如果您确实需要它,可以查看p /使用PKCS12_NO_PERSIST_KEY标志调用PFXImportCertStore ,然后将生成的HCERTSTORE值传递给X509Store.ctor(IntPtr)并通过X509Store.Certificates属性读取您的证书。 Note, though, that most of .NET Framework won't understand that these cert objects have associated private keys, so they'll likely only behave as public-only certificate objects. 但请注意,大多数.NET Framework都不会理解这些证书对象具有关联的私钥,因此它们可能只会作为公共证书对象。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.