Windows 服务的 X509 证书存储在哪里?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2784224/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Where to store X509 certificate for Windows service?
提问by Cocowalla
I have a Windows service that will normally be run using the Local System Account (although in some installations it may as a specific user account).
我有一个通常会使用本地系统帐户运行的 Windows 服务(尽管在某些安装中它可能作为特定的用户帐户)。
The service is using WCF, with communication secured using X509 certificates.
该服务使用 WCF,使用 X509 证书保护通信。
My question is, where is the best place to store the certificate (and private key)?
我的问题是,存储证书(和私钥)的最佳位置在哪里?
If using a certificate store is the best approach, which one should I use to ensure that only Administrators and the service can access the private key?
如果使用证书存储是最好的方法,我应该使用哪种方法来确保只有管理员和服务才能访问私钥?
Alternatively, a simple option would be to simply store both as a PFX file on disk, and use ACLs to ensure only Administrators and the service have access to it. What are the pros and cons of this approach vs using a certificate store?
或者,一个简单的选择是将两者作为 PFX 文件简单地存储在磁盘上,并使用 ACL 确保只有管理员和服务才能访问它。这种方法与使用证书存储的优缺点是什么?
EDITTo clarify, I am using C# with the .NET Framework 3.5
编辑为了澄清,我将 C# 与 .NET Framework 3.5 一起使用
采纳答案by Oleg
First of all I recommend you to hold certificate in a certificate store with private key saved as non exportable. Now some arguments.
首先,我建议您将证书保存在证书存储中,私钥保存为不可导出。现在有些争论。
There are different ways to save on a machine a private secret or other private information. The most old way is LsaStorePrivateDataand LsaRetrievePrivateDataAPI (see http://msdn.microsoft.com/en-us/library/ms721818%28VS.85%29.aspx). It has restriction to the number of secrets, but all secrets can be divided to local, global, and machine.
有多种方法可以在机器上保存私人机密或其他私人信息。最老的方法是LsaStorePrivateData和LsaRetrievePrivateDataAPI(见http://msdn.microsoft.com/en-us/library/ms721818%28VS.85%29.aspx)。它对秘密的数量有限制,但所有的秘密都可以分为本地、全局和机器。
Next way is using DPAPI (see http://msdn.microsoft.com/en-us/library/ms995355.aspx): CryptProtectDataand CryptUnprotectDatain our case.
接下来的方法是使用DPAPI(见http://msdn.microsoft.com/en-us/library/ms995355.aspx):CryptProtectData和CryptUnprotectData我们的情况。
I add references to this two ways because you want compare different possible ways to be sure that your way is the best for your task.
我添加了对这两种方式的引用,因为您想要比较不同的可能方式,以确保您的方式最适合您的任务。
I think the most important question which you should ask is: which is the best way to protect my private key? I think you should choose the way, which protect your key to be copied. So I recommend you use certificate store. In a certificate store you can hold private key marked non exportable. This is the main advantage in my opinion. You can deploy the certificate with the corresponding private key with different ways. Be sure, that the private key saved on the machine are not marked as exportable.
我认为您应该问的最重要的问题是:保护我的私钥的最佳方法是什么?我认为您应该选择保护您要复制的密钥的方式。所以我建议你使用证书存储。在证书存储中,您可以持有标记为不可导出的私钥。这是我认为的主要优势。您可以通过不同的方式使用相应的私钥部署证书。确保保存在机器上的私钥没有标记为exportable。
Using of PFX file on disk gives you not this advantage. Moreover either your PFX is not encrypted or you receive a problem where you should save the password to the PFX file. So you have to use DPAPI (CryptProtectDataand CryptUnprotectData) or LSA API (LsaStorePrivateDataand LsaRetrievePrivateData) and the password can be exported.
在磁盘上使用 PFX 文件不会给您带来这种优势。此外,要么您的 PFX 未加密,要么您遇到问题,需要将密码保存到 PFX 文件中。所以你必须使用DPAPI(CryptProtectData和CryptUnprotectData)或LSA API(LsaStorePrivateData和LsaRetrievePrivateData)并且可以导出密码。
