Azure 应用服务无法从 wwwroot 文件系统加载 pfx 证书
[英]An Azure App Service cannot load a pfx certificate from the wwwroot filesystem
问题描述
I have a simple ASPNET-Core 2 web app on Azure App Services.
我在 Azure 应用服务上有一个简单的 ASPNET-Core 2 Web 应用。 When I try and load the pfx file, I get the following error:当我尝试加载 pfx 文件时,出现以下错误:
WindowsCryptographicException: The system cannot find the file specified Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
I'm trying to load a pfx file, which exists in the wwwroot folder.我正在尝试加载wwwroot文件夹中存在的pfx文件。
Problematically, I have proven that the pfx file exists.有问题的是,我已经证明 pfx 文件存在。
I then have tried to load the X509 cert via these two ways:然后我尝试通过这两种方式加载 X509 证书:
clientCertificate = new X509Certificate2(certificateByteArrayData, pfxPassword);
and和
clientCertificate = new X509Certificate2(filePath, pfxPassword);
if I have a bad password, I get a correct-bad-password exception.如果我有一个错误的密码,我会收到一个正确的错误密码异常。
But with a (what I believe to be is) legit path + password or loaded bytes + password, I get that error, above.但是使用(我认为是)合法路径 + 密码或加载的字节 + 密码,我得到了上面的错误。
It's like the certificate is trying to do some weird admin-type-thingy on the server and doesn't have permission?这就像证书试图在服务器上做一些奇怪的管理员类型的事情并且没有权限? Which I don't understand because I have the cert there and I just want to use it?我不明白,因为我在那里有证书,我只想使用它?
I know there's other ways to do this with Loading SSL Certs or using Azure Vault or other people have found similar problems but are related to 'user stores' etc, while here I thought this has nothing to do with it?我知道还有其他方法可以通过加载 SSL 证书或使用 Azure Vault 或其他人发现类似问题但与“用户存储”等相关,而在这里我认为这与它无关?
1 个解决方案
解决方案1
6 2018-05-28 15:25:16
It looks like I had to add an extra parameter to say use the Machine storage.看起来我不得不添加一个额外的参数来说明使用机器存储。
// Byte array.
var clientCertificate = new X509Certificate2(certificateData,
pfxPassword,
X509KeyStorageFlags.MachineKeySet);
// File name
var clientCertificate = new X509Certificate2(pfxFileNameAndPath,
pfxPassword,
X509KeyStorageFlags.MachineKeySet);
This SO answer basically suggested the answer这个 SO 答案基本上建议了答案
Even though you are reading the certificate from disk and storing it in an object the private keys are still stored in the Microsoft Cryptographic API Cryptographic Service Provider key database.
Boom!繁荣! That said, I still don't understand why it's trying to access some store considering I am giving the password and file.也就是说,考虑到我提供了密码和文件,我仍然不明白为什么它会尝试访问某个商店。
/me shrug /我耸耸肩
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.