.NET 6 中的证书私钥权限
[英]Certificate private key permissions in .NET 6
问题描述
I'm trying to import a certificate with private key into the Windows Certificate Store.
我正在尝试将带有私钥的证书导入 Windows 证书存储区。 I can successfully import the certificate using the below我可以使用以下方法成功导入证书
X509Certificate2 certificate = new(certByteArray, certPassword, X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet);
X509Store store = new(StoreName.TrustedPeople, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(certificate);
But the problem I've got is, how to give a user access to the private key programmatically.但我遇到的问题是,如何以编程方式让用户访问私钥。
I've found these links helpful:我发现这些链接很有帮助:
https://www.pkisolutions.com/accessing-and-using-certificate-private-keys-in-net-framework-net-core/ https://www.pkisolutions.com/accessing-and-using-certificate-private-keys-in-net-framework-net-core/
CngKey Assign permission to machine key CngKey 为机器密钥分配权限
Set Certificate PrivateKey Permissions in .NET 5 在 .NET 5 中设置证书私钥权限
I can grant access via the UI with certlm.msc > Drag certificate to Personal store > Right click certificate > All Tasks > Manage private keys > Add the user and permission我可以使用 certlm.msc 通过 UI 授予访问权限 > 将证书拖到个人商店 > 右键单击证书 > 所有任务 > 管理私钥 > 添加用户和权限
But I need to do this programmatically但我需要以编程方式执行此操作
There are changes from .NET Full Framework which is where the examples come from. .NET Full Framework 有一些变化,这是示例的来源。 I've spent more than a day on it, tried multiple certificates, certificate is definitely marked as exportable and running VS as administrator.我花了一天多的时间,尝试了多个证书,证书肯定被标记为可导出并以管理员身份运行 VS。 I'm happy with a Windows only solution我对 Windows 唯一的解决方案感到满意
This is about as close as I've got这和我差不多
const string NCRYPT_SECURITY_DESCR_PROPERTY = "Security Descr";
const CngPropertyOptions DACL_SECURITY_INFORMATION = (CngPropertyOptions)4;
X509Store trustedPeopleStore = new(StoreName.TrustedPeople, StoreLocation.LocalMachine);
trustedPeopleStore.Open(OpenFlags.ReadWrite);
var certificates = trustedPeopleStore.Certificates.Find(X509FindType.FindByThumbprint, "xxxxxxxxxxxxxxxxxxxxxx", false);
RSA rsa = certificates[0].GetRSAPrivateKey();
RSACng rsaCng = rsa as RSACng;
CngProperty prop = rsaCng.Key.GetProperty(NCRYPT_SECURITY_DESCR_PROPERTY, DACL_SECURITY_INFORMATION);
I can see the rsaCng.Key present in debug, but it fails on the next line (it definitely is exportable) getting the property with Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException: 'Key not valid for use in specified state.'我可以在调试中看到 rsaCng.Key,但在下一行(它肯定是可导出的)获取属性时失败Internal.Cryptography.CryptoThrowHelper.WindowsCryptographicException: 'Key not valid for use in specified state.' I've also read comments that you shouldn't try setting the acl directly on the file, but not sure if that is correct or not我还阅读了有关您不应尝试直接在文件上设置 acl 的评论,但不确定这是否正确
1 个解决方案
解决方案1
0 2021-12-01 19:45:16
See this code project post for some example code that grants access programmatically (specifically look at the "AddAccessToCertificate" method).有关以编程方式授予访问权限的示例代码,请参阅此代码项目帖子(特别是查看“AddAccessToCertificate”方法)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.