C# 以编程方式导入带有私钥的证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/812105/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Import certificate with private key programmatically
提问by Jason
I'm trying to use the HttpListener class in a C# application to have a mini webserver serve content over SSL. In order to do this I need to use the httpcfg tool. I have a .pfx file with my public and private key pair. If I import this key pair manually using mmc into the local machine store, everything works fine. However, if I import this key pair programmatically using the X509Store class, I am not able to connect to my mini webserver. Note that in both methods the cert is getting imported to the MY store in LocalMachine. Oddly, I am able to view the certificate in mmc once I programmatically import it and when I view it, the UI indicates that a private key is also available for this certificate.
我正在尝试在 C# 应用程序中使用 HttpListener 类让小型网络服务器通过 SSL 提供内容。为了做到这一点,我需要使用 httpcfg 工具。我有一个包含公钥和私钥对的 .pfx 文件。如果我使用 mmc 手动将此密钥对导入本地机器存储,则一切正常。但是,如果我使用 X509Store 类以编程方式导入此密钥对,则无法连接到我的迷你网络服务器。请注意,在这两种方法中,证书都被导入到 LocalMachine 中的 MY 商店。奇怪的是,一旦我以编程方式导入证书,我就可以在 mmc 中查看它,当我查看它时,UI 指示该证书也有一个私钥可用。
Digging a little deeper, I notice that when I manually import the key pair, I can see a new file appear in C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys, but one does not appear when I import programmatically. On a related note, when I delete a manually imported certificate, it does not remove the corresponding private key file from the previously mentioned directory.
深入一点,我注意到当我手动导入密钥对时,我可以看到一个新文件出现在 中C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys,但是当我以编程方式导入时没有出现。在相关说明中,当我删除手动导入的证书时,它不会从前面提到的目录中删除相应的私钥文件。
Ultimately, my question is this: When I programmatically add the certificate to the store, where is the private key being stored and why isn't it accessible to the HttpListener class (HttpApi)?
最终,我的问题是:当我以编程方式将证书添加到商店时,私钥存储在哪里,为什么 HttpListener 类 (HttpApi) 不能访问它?
Note that this question is slightly related but I don't think permissioning is the problem since this is all being done as the same Windows user: How to set read permission on the private key file of X.509 certificate from .NET
请注意,这个问题略有相关,但我认为权限不是问题,因为这一切都是作为同一个 Windows 用户完成的: How to set read permission on the private key file of X.509 certificate from .NET
采纳答案by Jason
Ok, I figured it out. It had to do with the key storage parameters for the certificate object. For anyone else that runs into this problem, make sure you construct your X509Certificate2objects that you are adding to the store using the X509KeyStorageFlags.PersistKeySetand X509KeyStorageFlags.MachineKeySetflags. This will force the private key to persist in the machine key set location which is required by HttpApi(HttpListenerwraps this).
好的,我想通了。它与证书对象的密钥存储参数有关。对于遇到此问题的任何其他人,请确保X509Certificate2使用X509KeyStorageFlags.PersistKeySet和X509KeyStorageFlags.MachineKeySet标志构建要添加到商店的对象。这将强制私钥保留在HttpApi(HttpListener包装 this)所需的机器密钥集位置。
回答by Developer
Is this a 2 way SSL? If it is then did you send over a SSL Certificate Request file generated on your machine? This Certificate Request file will be used to create the SSL and they together form a public private key pair.
这是 2 路 SSL 吗?如果是,那么您是否发送了在您的机器上生成的 SSL 证书请求文件?此证书请求文件将用于创建 SSL,它们一起形成一个公共私钥对。
Also did you try assigning the cert permission for the user account that is being used to run the web app? You can do this by using the Microsoft WSE 3.0 tool.
您是否也尝试为用于运行 Web 应用程序的用户帐户分配证书权限?您可以使用 Microsoft WSE 3.0 工具执行此操作。
