我正试图从路径加载证书,并在windows服务器上获得内部服务器错误。当我在windows 10上这样做时,一切都很好。
不工作控制台应用程序代码
var path = args[0];
var password = args[1];
var certificate2 = new X509Certificate2(path, password);
但是得到错误
Unhandled exception. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: An internal error occurred.
at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
at CertCoreTest.Program.Main(String[] args) in C:UsersAdminDocumentsVisual Studio 2019ProjectsCertTestCertCoreTestProgram.cs:line 12
破解工作代码(不确定为什么会工作)
var path = args[0];
var password = args[1];
Chilkat.Cert cert = new Chilkat.Cert();
var success = cert.LoadPfxData(File.ReadAllBytes(path), password);
if (success == false)
{
throw new Exception(cert.LastErrorText);
}
var bytes = cert.ExportToPfxData(password, true);
var ceeert = new X509Certificate2(bytes, password);
如何使它在windows服务器上工作而不使用chilkat库?
如果您的代码运行在IIS下的web应用程序中:
- 进入IIS管理器
- 转到应用程序池实例
- 点击高级设置
- 在Process model下,将Load User Profile设置为true
否则,尝试指定UserKeySet(有可能PFX包含"使用机器存储")。内部标记):
var path = args[0]; var password = args[1]; var certificate2 = new X509Certificate2(path, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);
否则,在本地机器上安装证书,并尝试通过拇指指纹从存储中加载:
-
安装到本机:https://blog.powerbiz.net.au/server-2012/importing-a-pfx-certificate-into-windows-server-2012/
-
获取指纹:https://learn.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-retrieve-the-thumbprint-of-a-certificate
-
使用配置的指纹从证书存储库加载证书
string certificateThumbprint = "<...thumbprint...>"; X509Certificate2 certificate = null; using X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine); store.Open(OpenFlags.ReadOnly); X509Certificate2Collection certificates = store.Certificates.Find(X509FindType.FindByThumbprint, certificateThumbprint, false); if (certificates.Count > 0) certificate = certificates[0];
如果以上操作失败,则使用Windows 2012自带工具可能无法导入。p12文件。要检查:对于每个pkcs# 12文件,您可以尝试以下操作:发出命令certutil -asn | findstr/i "pb aes des sha"(取代";";与pkcs# 12文件的名称)。
如果输出开始如下:
| | | | |;1.2.840.113549.1.12.1.3 szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES
那么应该可以将pkcs# 12文件导入Windows 2016。
如果输出开始如下:
| | | | |;1.2.840.113549.1.5.13 szOID_PKCS_5_PBES2| | | | | |;1.2.840.113549.1.5.12 szOID_PKCS_5_PBKDF2| | | | |;2.16.840.1.101.3.4.1.42 aes256
或类似的,那么pkcs# 12文件可能无法使用内置的Windows 2016工具导入Windows 2016。您必须使用TripleDES和SHA1重新创建pkcs# 12文件。-参见线程:https://learn.microsoft.com/en-us/answers/questions/518605/importing-a-pkcs12-to-windows-server-2016.html
您是否尝试将字节数据传递到X509Certificate2而不是传递路径?从官方文件中查看以下SRC。
cert.GetRawCertData()(不像你的情况,但原因似乎是相似的)
using System;
using System.Security.Cryptography;
using System.Security.Permissions;
using System.IO;
using System.Security.Cryptography.X509Certificates;
class CertInfo
{
//Reads a file.
internal static byte[] ReadFile (string fileName)
{
FileStream f = new FileStream(fileName, FileMode.Open, FileAccess.Read);
int size = (int)f.Length;
byte[] data = new byte[size];
size = f.Read(data, 0, size);
f.Close();
return data;
}
//Main method begins here.
static void Main(string[] args)
{
//Test for correct number of arguments.
if (args.Length < 1)
{
Console.WriteLine("Usage: CertInfo <filename>");
return;
}
try
{
X509Certificate2 x509 = new X509Certificate2();
//Create X509Certificate2 object from .cer file.
byte[] rawData = ReadFile(args[0]);
x509.Import(rawData);
//Print to console information contained in the certificate.
Console.WriteLine("{0}Subject: {1}{0}", Environment.NewLine, x509.Subject);
Console.WriteLine("{0}Issuer: {1}{0}", Environment.NewLine, x509.Issuer);
Console.WriteLine("{0}Version: {1}{0}", Environment.NewLine, x509.Version);
Console.WriteLine("{0}Valid Date: {1}{0}", Environment.NewLine, x509.NotBefore);
Console.WriteLine("{0}Expiry Date: {1}{0}", Environment.NewLine, x509.NotAfter);
Console.WriteLine("{0}Thumbprint: {1}{0}", Environment.NewLine, x509.Thumbprint);
Console.WriteLine("{0}Serial Number: {1}{0}", Environment.NewLine, x509.SerialNumber);
Console.WriteLine("{0}Friendly Name: {1}{0}", Environment.NewLine, x509.PublicKey.Oid.FriendlyName);
Console.WriteLine("{0}Public Key Format: {1}{0}", Environment.NewLine, x509.PublicKey.EncodedKeyValue.Format(true));
Console.WriteLine("{0}Raw Data Length: {1}{0}", Environment.NewLine, x509.RawData.Length);
Console.WriteLine("{0}Certificate to string: {1}{0}", Environment.NewLine, x509.ToString(true));
Console.WriteLine("{0}Certificate to XML String: {1}{0}", Environment.NewLine, x509.PublicKey.Key.ToXmlString(false));
//Add the certificate to a X509Store.
X509Store store = new X509Store();
store.Open(OpenFlags.MaxAllowed);
store.Add(x509);
store.Close();
}
catch (DirectoryNotFoundException)
{
Console.WriteLine("Error: The directory specified could not be found.");
}
catch (IOException)
{
Console.WriteLine("Error: A file in the directory could not be accessed.");
}
catch (NullReferenceException)
{
Console.WriteLine("File must be a .cer file. Program does not have access to that type of file.");
}
}
}
为私钥使用本地计算机存储:
X509Certificate2 cert = new X509Certificate2("yourhost.pfx", "password", X509KeyStorageFlags.MachineKeySet);
MachineKeySet被描述为私钥存储在本地计算机存储区而不是当前用户存储区。没有标志的默认值是放置在用户存储中。
即使您正在从磁盘读取证书并将其存储在对象中,私钥仍然存储在Microsoft Cryptographic API Cryptographic Service Provider密钥数据库中。在主机服务器上,ASP.NET进程没有访问用户库的权限。
另一种方法:(如果您将应用程序控制台更改为web)
修改IIS配置或App Pool标识——这是有效的。但是,这假设有访问这些配置项的权限,而实际情况可能并非如此(例如,在共享主机环境中)。
您可以阅读更多关于MSDN.System.Security.Cryptography.X509Certificates
设置MachineKeySet标志将解决加载证书的问题,但您最终会得到"拒绝访问";在尝试使用它进行签名或解密时出现错误,因此您将切换到BoucyCastle。