C# X509Certificate.CreateFromCertFile - 指定的网络密码不正确
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/899991/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
X509Certificate.CreateFromCertFile - the specified network password is not correct
提问by p.campbell
I have a .NET application that I want to use as a client to call an SSL SOAP web service. I have been supplied with a valid client certificate called foo.pfx. There is a password on the certificate itself.
我有一个 .NET 应用程序,我想将其用作客户端来调用 SSL SOAP Web 服务。我已经获得了一个名为foo.pfx. 证书本身有一个密码。
I've located the certificate at the following location: C:\certs\foo.pfx
我在以下位置找到了证书: C:\certs\foo.pfx
To call the web service, I need to attach the client certificate. Here's the code:
要调用 Web 服务,我需要附加客户端证书。这是代码:
public X509Certificate GetCertificateFromDisk(){
try{
string certPath = ConfigurationManager.AppSettings["MyCertPath"].ToString();
//this evaluates to "c:\certs\foo.pfx". So far so good.
X509Certificate myCert = X509Certificate.CreateFromCertFile(certPath);
// exception is raised here! "The specified network password is not correct"
return cert;
}
catch (Exception ex){
throw;
}
}
It sounds like the exception is around the .NET application trying to read the disk. The method CreateFromCertFileis a static method that should create a new instance of X509Certificate. The method isn't overridden, and has only one argument: the path.
听起来异常是在尝试读取磁盘的 .NET 应用程序周围。该方法CreateFromCertFile是一个静态方法,应该创建 X509Certificate 的新实例。该方法没有被覆盖,并且只有一个参数:路径。
When I inspect the Exception, I find this:
当我检查异常时,我发现:
_COMPlusExceptionCode = -532459699
Source=mscorlib
Question: does anyone know what the cause of the exception "The specified network password is not correct" ?
问题:有谁知道“指定的网络密码不正确”异常的原因是什么?
采纳答案by p.campbell
Turns out that I was trying to create a certificate from the .pfx instead of the .cer file.
原来我试图从 .pfx 而不是 .cer 文件创建证书。
Lesson learned...
学过的知识...
- .cer files are an X.509 certificate in binary form. They are DER encoded.
- .pfx files are container files. Also DER encoded. They contain not only certificates, but also private keys in encrypted form.
- .cer 文件是二进制形式的 X.509 证书。它们是DER 编码的。
- .pfx 文件是容器文件。也是 DER 编码的。它们不仅包含证书,还包含加密形式的私钥。
回答by benjamin
Depending on your situation you probably need to install the certificate on the server first to get the trust level up before you export the .cerfile.
根据您的情况,您可能需要先在服务器上安装证书才能在导出.cer文件之前提高信任级别。
I had to do this for a similar project and here were my notes on how it was accomplished.
我不得不为一个类似的项目这样做,这是我关于它是如何完成的笔记。
Replace the Foo.cerwith an export of the certificate installed on the server. (Install the cert from the pfxfile and then export it to a cerfile.)
替换为Foo.cer安装在服务器上的证书的导出。(从pfx文件安装证书,然后将其导出到cer文件。)
Command for IIS6 to allow IIS_WPG group access to the cert key. Need to install
winhttpcertcfg(You can follow the link below to grab your own copy).C:\Program Files\Windows Resource Kits\Tools>winhttpcertcfg -i (Path to pfx file, eg. e:\Certs\Foo.pfx) -c LOCAL_MACHINE\My -a IIS_WPG -p (Password for pfx file)
Spits out key info and grants privilege
Granting private key access for account:
(SERVERNAME)\IIS_WPG
IIS6 允许 IIS_WPG 组访问证书密钥的命令。需要安装
winhttpcertcfg(您可以按照下面的链接获取自己的副本)。C:\Program Files\Windows Resource Kits\Tools>winhttpcertcfg -i(pfx 文件的路径,例如 e:\Certs\Foo.pfx) -c LOCAL_MACHINE\My -a IIS_WPG -p(pfx 文件的密码)
吐出关键信息并授予特权
授予帐户的私钥访问权限:
(SERVERNAME)\IIS_WPG
Download WinHttpCertCfg.msiherethat installs the exe.
WinHttpCertCfg.msi在这里下载安装exe。
More info on how to use the cert config can be found here.
可以在此处找到有关如何使用证书配置的更多信息。
Then it just goes back to how you are doing your cert push.
然后它就回到了您如何进行证书推送。
//Cert Challenge URL
Uri requestURI = new Uri("https://someurl");
//Create the Request Object
HttpWebRequest pageRequest = (HttpWebRequest)WebRequest.Create(requestURI);
//After installing the cert on the server export a client cert to the working directory as Foo.cer
string certFile = MapPath("Foo.cer");
X509Certificate cert = X509Certificate.CreateFromCertFile(certFile);
//Set the Request Object parameters
pageRequest.ContentType = "application/x-www-form-urlencoded";
pageRequest.Method = "POST";
pageRequest.AllowWriteStreamBuffering = false;
pageRequest.AllowAutoRedirect = false;
pageRequest.ClientCertificates.Add(cert);
This how I passed the cert but not sure exactly what you are needing to do with your cert so this might not be the same for you.
这就是我通过证书的方式,但不确定您需要对证书做些什么,所以这对您来说可能不一样。
回答by Douwe
The 'the specified network password is not correct' error message is also returned when the certificate you are trying to import in one of the OS stores is already present in that store.
当您尝试在其中一个操作系统存储中导入的证书已存在于该存储中时,也会返回“指定的网络密码不正确”错误消息。
回答by Chris J
You might need to user X509Certificate2()with a parameter of X509KeyStorageFlags.MachineKeySetinstead. This fixed a similar issue we had. Credit to the original website that suggested this: http://vdachev.net/2012/03/07/c-sharp-error-creating-x509certificate2-from-a-pfx-or-p12-file-in-production/
您可能需要X509Certificate2()使用参数来X509KeyStorageFlags.MachineKeySet代替用户。这解决了我们遇到的类似问题。归功于提出此建议的原始网站:http: //vdachev.net/2012/03/07/c-sharp-error-creating-x509certificate2-from-a-pfx-or-p12-file-in-production/
Quoting:
引用:
Cause
The cause of the problem doesn't seem to have much to do with the error messages. For some reason the constructor is trying to get access to the private key store although the private key is in stored in the file being opened. By default the user key store is used but ASP.NET (and probably non-interactive Windows services in general) are not allowed to open it. Chances are the user key store for the selected account doesn't even exist.
Solution
One thing you could try is creating a user key store by logging into the account and importing a certificate in its Personal store (and then remove it again).
Another solution is to pass an additional parameter to the constructor – a flag indicating the private keys are (supposed to be) stored in the local computer – X509KeyStorageFlags.MachineKeySet, like this:
var certificate = new X509Certificate2(fileName, password, X509KeyStorageFlags.MachineKeySet);
原因
问题的原因似乎与错误消息没有太大关系。出于某种原因,尽管私钥存储在正在打开的文件中,但构造函数正试图访问私钥存储。默认情况下使用用户密钥存储,但不允许 ASP.NET(通常可能还有非交互式 Windows 服务)打开它。所选帐户的用户密钥库可能甚至不存在。
解决方案
您可以尝试的一件事是通过登录帐户并在其个人存储中导入证书(然后再次删除它)来创建用户密钥存储。
另一种解决方案是向构造函数传递一个额外的参数——一个指示私钥(应该)存储在本地计算机中的标志——X509KeyStorageFlags.MachineKeySet,如下所示:
var certificate = new X509Certificate2(fileName, password, X509KeyStorageFlags.MachineKeySet);
For a PFX with no password, then password can be specified as string.Empty.
对于没有密码的 PFX,则可以将密码指定为string.Empty.
回答by Dhanuka777
In my case I was trying to run in the Private Application mode and I got the same error.
就我而言,我试图在私有应用程序模式下运行,但遇到了同样的错误。
The specified network password is not correct
指定的网络密码不正确
The PrivateAuthenticator constructor (in Xero.Api.Example.Applications.Private) was trying to import the certificate assuming there is no password defined during the creation of the certificate.
PrivateAuthenticator 构造函数 (in Xero.Api.Example.Applications.Private) 试图导入证书,假设在创建证书期间没有定义密码。
_certificate = new X509Certificate2();
_certificate.Import(certificatePath);
Then I changed the import to use an overload method which uses the password,
然后我将导入更改为使用使用密码的重载方法,
_certificate.Import(certificatePath, "mypasswordusedtocreatethecertificate", X509KeyStorageFlags.MachineKeySet);
回答by ABB
You might need to X509KeyStorageFlags.MachineKeySet.
您可能需要 X509KeyStorageFlags.MachineKeySet。
I am using certificate from web job.
我正在使用来自网络作业的证书。
回答by Peska
In my case changing Identity to NetworkService in Application Pool solved this problem.
在我的情况下,在应用程序池中将 Identity 更改为 NetworkService 解决了这个问题。
