C# WCF 错误:“证书‘我的证书’很可能没有能够进行密钥交换的私钥
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/13184586/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
WCF Error : 'It is likely that certificate 'my cert' may not have a private key that is capable of key exchange
提问by Bill Martin
I have a WCF service I'm trying to host on our production web server (IIS6). I've set the web up and tied our cert to the web. When I try to browse to the service url, I receive the following error in the event log :
我有一个 WCF 服务,我试图在我们的生产 Web 服务器 (IIS6) 上托管。我已经设置了网络并将我们的证书绑定到网络。当我尝试浏览到服务 url 时,我在事件日志中收到以下错误:
The exception message is: It is likely that certificate 'CN=.mydomain, OU=Secure Link SSL Wildcard, OU=I.T., C=US' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.. ---> System.ArgumentException: It is likely that certificate 'CN=.mydomain.com, OU=Secure Link SSL Wildcard, OU=I.T., O=mydomain, C=US' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail. ---> System.Security.Cryptography.CryptographicException: The handle is invalid.
异常消息是:证书 'CN= .mydomain, OU=Secure Link SSL Wildcard, OU=IT, C=US' 可能没有能够进行密钥交换的私钥,或者进程可能没有访问权限私钥的权利。有关详细信息,请参阅内部异常.. ---> System.ArgumentException: 证书 'CN=.mydomain.com, OU=Secure Link SSL Wildcard, OU=IT, O=mydomain, C=US' 可能不是拥有能够进行密钥交换的私钥,或者进程可能没有私钥的访问权限。详情请参阅内部异常。---> System.Security.Cryptography.CryptographicException:句柄无效。
I've confirmed ASP.Net 1.1, 2, and 4 are all set to 'Allow' in 'Web Service Extensions'. I've also confirmed the cert is set up in iis and it shows 'You have a private key that corresponds to this certificate'. Also, Execute Permissions are set to 'Script and Executables'.
我已经确认 ASP.Net 1.1、2 和 4 在“Web 服务扩展”中都设置为“允许”。我还确认证书是在 iis 中设置的,它显示“您有一个与此证书对应的私钥”。此外,执行权限设置为“脚本和可执行文件”。
采纳答案by Andrew Shepherd
I had this problem, and it turned out that the account the service was running under did not have permissions to access the certificate's private key.
我遇到了这个问题,结果发现运行该服务的帐户没有访问证书私钥的权限。
Here are the steps I used to solve it:
以下是我用来解决它的步骤:
- Start the Cetificate manager. Do this by running MMC, activate [File]-[Add/Remove Snap-in...], then add "Certificates", selecting "Computer Account" and "Local Computer" in the ensuing wizard dialogs.
- In the certificate manager, right-click on the relevant certificate and activate [All Tasks]-[Manage Private Keys]
- This gives you a permissions window. Click Add
- Add the account name or group that this service runs under.
- 启动证书管理器。为此,请运行 MMC,激活 [文件]-[添加/删除管理单元...],然后添加“证书”,在随后出现的向导对话框中选择“计算机帐户”和“本地计算机”。
- 在证书管理器中,右键点击相关证书,激活【所有任务】-【管理私钥】
- 这为您提供了一个权限窗口。点击添加
- 添加运行此服务的帐户名或组。
回答by Oliver Hanappi
Seems like your certificate was created for signatures and not key exchange, what I suppose to be normal for SSL certificates.
似乎您的证书是为签名而不是密钥交换创建的,我认为 SSL 证书是正常的。
If you look at the makecert documentation, you can see that the -sky switch lets you specify whether the certificate should be used for signatures or key exchange. You can try to create a self-signed certificate with type exchange and test whether the exception still occurs. Don't forget to put the self-signed certificate into the machine's trusted root certification authority folder in order to avoid exceptions that the certificate is not valid.
如果您查看makecert 文档,您会发现 -sky 开关允许您指定证书是用于签名还是用于密钥交换。可以尝试创建一个类型为exchange的自签名证书,测试是否仍然出现异常。不要忘记将自签名证书放入机器的受信任根证书颁发机构文件夹中,以避免出现证书无效的异常。
回答by Beourg
Ensure also that the account name or group that needs to access the certificate ALSO has access to the folder hierarchy that the certificate resides in. If your certificate is hiding in, for example, 'C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys', and the account that needs to access it is 'NETWORK SERVICE', then 'NETWORK SERVICE' needs access to that full path. Just assigning rights to the file is not enough.
还要确保需要访问证书的帐户名称或组也可以访问证书所在的文件夹层次结构。如果您的证书隐藏在,例如,'C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys ',并且需要访问它的帐户是 'NETWORK SERVICE',那么 'NETWORK SERVICE' 需要访问该完整路径。仅仅为文件分配权限是不够的。
回答by Koen van der Linden
Same problem here. To fix the problem I added the following line to the <system.web>node of the web.config.
同样的问题在这里。为了解决这个问题,我将以下行添加到<system.web>web.config的节点。
<httpRuntime targetFramework="4.7.2"/>
<httpRuntime targetFramework="4.7.2"/>
