[英]Azure, App-service, create X509Certificate2 object from string
Having an App-service in Azure, and working on the AzureServiceManagementAPI, I was downloading the file that contains the managememnt certificate for each subscription. 在Azure中使用App-service并使用AzureServiceManagementAPI,我正在下载包含每个订阅的managememnt证书的文件。
Any how using the certificate string from the file I'm trying to create a X509Certificate2 object. 任何如何使用我正在尝试创建X509Certificate2对象的文件中的证书字符串。
string cerStr = subscription.Attribute("ManagementCertificate").Value;
X509Certificate2 x509 = new X509Certificate2(Convert.FromBase64String(cerStr), string.Empty, X509KeyStorageFlags.MachineKeySet)
The constructor of X509Certificate2 throw an exception X509Certificate2的构造函数抛出异常
Access denied.
拒绝访问。
System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
System.Security.Cryptography上的System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte [] rawData,IntPtr密码,UInt32 dwFlags,Boolean persistKeySet,SafeCertContextHandle&pCertCtx)中的System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32hr)。 X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte [] rawData,Object password,X509KeyStorageFlags keyStorageFlags)
Since no one has answered this questions, I will try and have go at it. 既然没有人回答过这个问题,我会尽力去做。 Please correct me if I am wrong, but the problem I think is the following line of code:
如果我错了请纠正我,但我认为问题是以下代码行:
new X509Certificate2(Convert.FromBase64String(cerStr), string.Empty, X509KeyStorageFlags.MachineKeySet)
This line of code will try to add a new certificate to the certificate store of the virtual machine. 此行代码将尝试将新证书添加到虚拟机的证书存储中。 All certificates used by the runtime, needs to be hosted in a store somewhere.
运行时使用的所有证书都需要托管在某个商店中。 This is not a good idea because the certificate store of the virtual machine hosting the app service is nothing that you should be storing anything in, it's part of the infrastructure which is not of your concern when you are working with app services.
这不是一个好主意,因为托管应用程序服务的虚拟机的证书存储区不应该存储任何内容,它是您在使用应用程序服务时不关心的基础结构的一部分。
What you need to do is to upload the certificate through the azure portal instead (if they are not already there). 您需要做的是通过天蓝色门户上传证书(如果它们尚未存在)。 I ended up reusing a SSL certificate already in place for this purpose.
为此,我最终重新使用了已经存在的SSL证书。 When this is done, you can retreive that certificate in code.
完成后,您可以在代码中检索该证书。 You will need to add a new App Setting under "Application Settings" key in the Azure portal for your app service, named WEBSITE_LOAD_CERTIFICATES.
您需要在Azure门户中的“应用程序设置”键下为您的应用程序服务添加一个新的应用程序设置,名为WEBSITE_LOAD_CERTIFICATES。 The value should be the thumbprint of the certificate.
该值应该是证书的指纹。
To retrieve the cert, you should do something like this: 要检索证书,您应该执行以下操作:
public async Task<X509Certificate2> GetCertificate(string certificateThumbprint)
{
var store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
var cert = store.Certificates.OfType<X509Certificate2>()
.FirstOrDefault(x => x.Thumbprint == certificateThumbprint);
store.Close();
return cert;
}
You might be able to get thumbprint of the cert by navigating your subscription using the azure resource explorer https://resources.azure.com/ 您可以使用azure resource explorer https://resources.azure.com/导航订阅,获取证书的指纹。
As Fredrik mentioned the issue is due to the code 正如弗雷德里克所说,问题是由于代码造成的
X509Certificate2 x509 = new X509Certificate2(Convert.FromBase64String(cerStr), string.Empty, X509KeyStorageFlags.MachineKeySet)
In the Azure WebApp, if we try to use the certificate, we need to upload the certificate from the Azure portal. 在Azure WebApp中,如果我们尝试使用证书,则需要从Azure门户上载证书。 Add the
WEBSITE_LOAD_CERTIFICATES
with thumbprint value in the Azure WebApp application. 在Azure WebApp应用程序中添加带有指纹值的
WEBSITE_LOAD_CERTIFICATES
。 More detail info please refer to blog . 更多细节信息请参考博客 。
Web application to access the certificate, snippet code from the blog Web应用程序从博客访问证书,代码段代码
static void Main(string[] args)
{
X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);
certStore.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certCollection = certStore.Certificates.Find(
X509FindType.FindByThumbprint,
// Replace below with your cert's thumbprint
“E661583E8FABEF4C0BEF694CBC41C28FB81CD870”,
false);
// Get the first cert with the thumbprint
if (certCollection.Count > 0)
{
X509Certificate2 cert = certCollection[0];
// Use certificate
Console.WriteLine(cert.FriendlyName);
}
certStore.Close();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.