[英]No Private Key when importing PFX via Import-PFXCertificate?
I have been tasked with automating installation of LetsEncrypt certficates on several Windows Server 2016 systems.我的任务是在多个 Windows Server 2016 系统上自动安装 LetsEncrypt 证书。
One requirement is to copy the ACL from the old private key to the new one, and so my script first identifies the unique container name from 'C:\ProgramData\Microsoft\Crypto'
.一项要求是将 ACL 从旧私钥复制到新私钥,因此我的脚本首先从
'C:\ProgramData\Microsoft\Crypto'
识别唯一容器名称。
Assuming that I have set the value of $Thumbprint to the correct certifciate thumbprint - which I have... then I believe should be able to locate the private key in the filesystem using:假设我已将 $Thumbprint 的值设置为正确的证书指纹 - 我有......那么我相信应该能够使用以下方法在文件系统中找到私钥:
(Get-Item "CERT:\LocalMachine\My\$Thumbprint").PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
This works great when I import the PFX using certlm.msc but not when I have imported the PFX using Powershell Import-PFXCertificate
?这在我使用 certlm.msc 导入 PFX 时效果很好,但在我使用 Powershell
Import-PFXCertificate
PFX 时效果不佳?
When imported using this cmdlet the .HasPrivateKey
property is True, but the .PrivateKey property itself is empty.使用此 cmdlet 导入时,
.HasPrivateKey
属性为 True,但 .PrivateKey 属性本身为空。
I have the script working using certutil with the -ImportPfx
switch which is ok, however will not accept the SecureString password.我让脚本使用带有
-ImportPfx
开关的 certutil 工作,这没问题,但不会接受 SecureString 密码。
Any help or ideas would be much appreciated.任何帮助或想法将不胜感激。
To mods:对模组:
Symptoms here are the same as this > ( PowerShell Import Pfx, and Private Key "Lost" ), however the conditions are not.此处的症状与此相同 > ( PowerShell Import Pfx, and Private Key "Lost" ),但条件并非如此。 I am not defining my own function to import the PFX, I am using the native Powershell cmdlet Import-PfxCertificate ( https://docs.microsoft.com/en-us/powershell/module/pki/import-pfxcertificate?view=windowsserver2016-ps ) and therefore am unable to edit the x509 flags as described in that resolution.
我没有定义自己的函数来导入 PFX,我使用的是本机 Powershell cmdlet Import-PfxCertificate ( https://docs.microsoft.com/en-us/powershell/module/pki/import-pfxcertificate?view=windowsserver2016 -ps ),因此无法编辑该分辨率中描述的 x509 标志。
In fact, it's not a PowerShell problem and keys are not lost.事实上,这不是 PowerShell 的问题,密钥也不会丢失。 The problem is in underlying .NET Framework APIs.
问题出在底层 .NET Framework API 中。
(Get-Item "CERT:\LocalMachine\My$Thumbprint").PrivateKey
(Get-Item "CERT:\LocalMachine\My$Thumbprint").PrivateKey
this call is obsolete since .NET 4.6.自 .NET 4.6 起,此调用已过时。 and is completely broken in .NET 4.7.
并且在 .NET 4.7 中完全被破坏。 See my blog post on this topic: Accessing and using certificate private keys in .NET Framework/.NET Core
请参阅我关于此主题的博文: 在 .NET Framework/.NET Core 中访问和使用证书私钥
What you actually, have to do is to use X509Certificate2 extension methods which will return one of the following types: RSACng
, DSACng
or ECDsaCng
.实际上,您要做的是使用X509Certificate2 扩展方法,该方法将返回以下类型之一:
RSACng
、 DSACng
或ECDsaCng
。 In PowerShell, extension methods are invoked as static methods, for example:在 PowerShell 中,扩展方法作为静态方法调用,例如:
$rsaCngKey = [System.Security.Cryptography.RSA]::GetRSAPrivateKey($cert)
These types (with "Cng" suffix) are CNG implementations and not supported by X509Certificate2.PrivateKey
.这些类型(带有“Cng”后缀)是 CNG 实现,不受
X509Certificate2.PrivateKey
支持。 In C#, this property will throw an InvalidCastException
exception, but PowerShell swallows exceptions from property getters and return $null
instead, which may look like "lost" key.在 C# 中,此属性将引发
InvalidCastException
异常,但 PowerShell 会从属性 getter 中吞下异常并返回$null
,这可能看起来像“丢失”的键。
Every CNG private key object contains Key
property (for example, RSACng.Key ) which is of type of CngKey
.每个 CNG 私钥对象都包含
CngKey
类型的Key
属性(例如RSACng.Key )。
CngKey
type has a pair of methods: GetProperty and SetProperty which you shall use in order to read and write key ACL by specifying a Security Descr
as a property name. CngKey
类型有一对方法: GetProperty和SetProperty ,您应该使用它们来通过将Security Descr
指定为属性名称来读取和写入密钥 ACL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.