证书：找不到用于解密的证书和私钥签名时出错 [英] Certificates: Cannot find the certificate and private key for decryption Error when sign

问题描述

我在公司工作，为开发人员提供许多服务器和PC。服务器是win2003，PC开发人员是Windows XP。

在名为preiis01的服务器Win2003中，在生产前环境中，公司中的其他人使用任何其他用户（domainCompany＼

任何管理员都使用用户 domainCompany\adminsystems登录服务器preiis01（使用Windows XP的远程服务器和终端服务器） ）。

管理员用户是domainCompany\adminsystems，它将安装证书。

管理员用户将其安装像这样：

会话登录，例如 domainCompany\adminsystems。
证书是PFX文件。请安装PFX并使用向导。密钥私有不检查导出。
输入密码并安装。

有一个应用程序网站，其AppPool身份为：NETWORK SERVICE帐户。

Web服务器是IIS 6.0。

在preiis01中，

该管理员用户执行mmc- >捕捉在->本地计算机证书中。在节点->个人->证书中，他看到了客户证书：

已发给ENTIDAD COMPANY INSURE SA-CIF A93-NOMBRE SURNAME1 NAME1

由FNMT租约2 CA

在证书属性中，指纹： 93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13

该管理员用户执行以下命令：

winhttpcertcfg.exe LOCAL_MACHINE\我的-s ENTIDAD COMPANY INSURE SA-CIF A93-NOMBRE SURNAME1 NAME1 -g -a网络服务

结果是：

匹配证书：

CN = ENTIDAD COMPANY INSURE SA-CIF A93-NOMBRE SURNAME1 NAME1

OU = 703015476

OU = FNMT类别2 CA

O = FNMT

C = ES

为
帐户授予私钥访问权限：NT AUTHORITY\NETWORK SERVICE

现在，管理员用户执行此命令：

winhttpcertcfg.exe -l -c LOCAL_MACHINE\我的-s ENTIDAD COMPANY INSURE SA-CIF A93-NOMBRE SURNAME1 NAME1

结果是：

匹配证书：

CN = ENTIDAD COMPANY INSURE SA-CIF A93-NOMBRE SURNAME1 NAME1

OU = 700012476

OU = FNMT第二类CA

O = FNMT

C = ES

具有
私钥访问权限的其他帐户和组包括：
域Company\adminsystems NT
AUTHORITY\SYSTEM
BUILTIN\Administrators NT
AUTHORITY\NETWORK SERVICE

现在，在服务器Win2003，IIS 6.0中应用程序Web的aspx页面中，我有此代码：

注： ENTIDAD COMPANY INSURE SA-CIF A93-NOMBRE SURNAME1 NAME1证书的X509Certificate2.HasPrivateKeyAccess（）的值为NO（假）。

ASP。 NET应用程序使用以下身份执行:: NT AUTHORITY\NETWORK SERVICE

  lbInfo.Text + =< br /> < br /> ASP.NET应用程序使用标识::< b>执行 + WindowsIdentity.GetCurrent（）。Name +< / b>< br>; 
 
 
 var store = new X509Store（StoreLocation.LocalMachine）; 
 store.Open（OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly）; 
证书= store.Certificates; 
 repeater1.DataSource =证书; 
 repeater1.DataBind（）; 
 
 var nombreCertificado = ENTIDAD COMPANY INSURE SA-CIF A93-NOMBRE SURNAME1 NAME1; 
 
 store = new X509Store（StoreName.My，StoreLocation.LocalMachine）; 
 store.Open（OpenFlags.ReadOnly）; 
 
 X509Certificate2Collection col = store.Certificates.Find（X509FindType.FindBySubjectName，nombreCertificado，false）; 
 
 if（col.Count> 0）
 {
 X509Certificate2 certificate = col [0]; 
 store.Close（）; 
 Message.Text = Certificado + nombreCertificado + encontrado en + StoreLocation.LocalMachine; 
 
 FirmarConCertificado（nombreCertificado，证书）; 
 
} 
其他
 {
 store.Close（）; 
 Message.Text = El certificado + nombreCertificado + no esta instalado en lamáquina； 
} 
 
 
 public void FirmarConCertificado（string nombreCertificado，X509Certificate2证书）
 {
 try 
 {
 var mensaje = Datos de prueba； 
 System.Text.Encoding enc = System.Text.Encoding.Default; 
 byte [] data = enc.GetBytes（mensaje）; 
 
 var contentInfo = new System.Security.Cryptography.Pkcs.ContentInfo（data）; 
 varsignedCms =新的System.Security.Cryptography.Pkcs.SignedCms（contentInfo，true）; 
 
 var cmsSigner =新的System.Security.Cryptography.Pkcs.CmsSigner（证书）; 
 
 //对CMS / PKCS＃7消息进行签名
 signatureCms.ComputeSignature（cmsSigner）; 
 
 //编码CMS / PKCS＃7消息
 var ret = Convert.ToBase64String（signedCms.Encode（））; 
 
 Message.Text + = Firmado con Certificado + nombreCertificado + encontrado en + StoreLocation.LocalMachine; 
} 
 catch（异常例外）
 {
 Message.Text =错误的固件认证： + ex.ToString（）; 
 Message.Text + =< br />< br /> InnerException： + ex.InnerException; 
} 
 
} 
  

代码对我来说失败了，并且我收到此错误：找不到用于解密的证书和私钥。

错误行是：signedCms.ComputeSignature（cmsSigner）;

证书错误：
System.Security.Cryptography.CryptographicException：
找不到证书和
私钥进行解密。 / p>

在
处System.Security.Cryptography.Pkcs.PkcsUtils.CreateSignerEncodeInfo（CmsSigner
签署者，布尔型无声）在
处System.Security。 C $
处的Cryptography.Pkcs.SignedCms.Sign（CmsSigner
签名者，布尔无声）System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature（CmsSigner
签名者，布尔无声）at
System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature（CmsSigner
signer）at
ASP.dgsfp_test_testcert_aspx.FirmarConCertificado（String
nombreCertificado，X509Certificate2
证书）
c：$ Company\App\Test\TestCert.aspx：line
242

然后，管理员用户（我记得，谁安装了证书）执行以下命令：

FindPrivateKey My LocalMachine -t 93
bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7
9d 81 70 a6 c4 13 –c

FindPrivateKey
我LocalMachine -n​​ ENTIDAD COMPANY INSURE SA-CIF A93-NOMBRE SURNAME1 NAME1 –a

FindPrivateKey我的LocalMachine -n​​
CN = ENTIDAD COMPANY INSURE SA- CIF A93-NOMBRE SURNAME1 NAME1
–a

所有3条命令的结果都相同：

FindPrivateKey帮助用户找到
X.50 9证书的私钥文件的
位置。

用法：FindPrivateKey [{{-n} | {-t}
} [-f | -d | -a]]

证书的主题名称

的指纹证书（使用certmgr.exe获取
它）

-f仅输出文件名

-d仅输出目录

-a输出绝对文件
名称，例如FindPrivateKey我的
CurrentUser -n CN = John Doe

例如FindPrivateKey我的本地计算机-t
03 33 98 63 d0 47 e7 48 71 33 62 64
76 5 c 4c 9d 42 1d 6b 52 -c

FindPrivateKey什么也没得到，但是winhttpcertcfg.exe -l可以正常工作（匹配证书）

我们赋予了特权网络服务用户使用winhttpcertcfg.exe工具，并在代码ASP.NET（在网络服务帐户下执行）中找到了证书。但是使用证书签名时失败。

如果有人可以向我们提供某些信息或建议

更新：

domainCompany\Pre_Certificado域中的用户在存储本地计算机中安装证书。

domainCompany\Pre_Certificado是IIS_WPG组的管理员，具有本地策略：作为服务登录

我在IIS 6.0中为以下应用程序配置AppPool身份：domainCompany\Pre_Certificado

ASP.NET应用程序使用标识:: domainCompany\Pre_Certificado

执行我回收AppPool并执行应用程序，得到系统。 Security.Cryptography.CryptographicException：找不到用于解密的证书和私钥

如果再次测试，请使用domainCompany\Pre_Certificado用户登录服务器IIS中的会话

（注意：使用终端服务器登录服务器IIS）

B如果在服务器IIS中注销会话（用户：domainCompany\Pre_Certificado），则会收到相同的错误：

System.Security.Cryptography.CryptographicException：找不到证书和用于解密的私钥

任何建议??

解决方案

请检查此文档，这将有助于您解决问题。我建议使用以下命令选项：

  winhttpcertcfg -g -c LOCAL_MACHINE\我-s MyCertificate -a TESTUSER 
  

I work in company with many servers and Pcs for developers. Servers are win2003, PC developers Windows XP.

In a server Win2003 named preiis01, in preproduction environment, other people in company install a client certificate using any other user (domainCompany\adminsystems) for logging in server preiis01.

Anyone admin uses the user "domainCompany\adminsystems" for log in server preiis01 (using Terminal Server, Remote Desktop for Windows XP).

the admin user is domainCompany\adminsystems", which installs certificate.

Admin user install it like this:

Session login like "domainCompany\adminsystems" Certificate is PFX file. Do Install PFX and using Wizard. The key private not check for export. Input the password and install.

There is an application Web which AppPool Identity is: NETWORK SERVICE account.

web server is IIS 6.0.

in preiis01,

That admin user executes mmc -> Snap in -> Certificates for Local Machine. In node -> Personal -> Certificates, he had seen the client certificate:

Issued To ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

Issued By FNMT Clase 2 CA

In properties of certificate, the thumbprint: "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13"

That admin user executes this commands:

winhttpcertcfg.exe LOCAL_MACHINE\My -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" -g -a "NETWORK SERVICE"

Result is:

Matching certificate:

CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

OU=703015476

OU=FNMT Clase 2 CA

O=FNMT

C=ES

Granting private key access for account: NT AUTHORITY\NETWORK SERVICE

Now, admin user executes this command:

winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1"

The result is:

Matching certificate:

CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

OU=700012476

OU=FNMT Clase 2 CA

O=FNMT

C=ES

Additional accounts and groups with access to the private key include: domainCompany\adminsystems NT AUTHORITY\SYSTEM BUILTIN\Administrators NT AUTHORITY\NETWORK SERVICE

NOw, in an aspx page in application web in server Win2003, IIS 6.0, I have this code:

NOte: value for X509Certificate2.HasPrivateKeyAccess() is NO (false) for "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" certificate.

ASP.NET application executes using the identity :: NT AUTHORITY\NETWORK SERVICE

lbInfo.Text += "<br/><br/>ASP.NET application executes using the identity :: <b>" + WindowsIdentity.GetCurrent().Name + "</b><br>";


            var store = new X509Store(StoreLocation.LocalMachine);
            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
            Certificates = store.Certificates;
            repeater1.DataSource = Certificates;
            repeater1.DataBind();

            var nombreCertificado = "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1";

            store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
            store.Open(OpenFlags.ReadOnly);

            X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindBySubjectName, nombreCertificado, false);

            if (col.Count > 0)
            {
                X509Certificate2 certificate = col[0];
                store.Close();
                Message.Text = "Certificado " + nombreCertificado + " encontrado en " + StoreLocation.LocalMachine;

                FirmarConCertificado(nombreCertificado, certificate);

            }
            else
            {
                store.Close();
                Message.Text = "El certificado " + nombreCertificado + " no esta instalado en la máquina";
            }


public void FirmarConCertificado(string nombreCertificado, X509Certificate2 certificate)
{
    try
    {
 var mensaje = "Datos de prueba";
                System.Text.Encoding enc = System.Text.Encoding.Default;
                byte[] data = enc.GetBytes(mensaje);

                var contentInfo = new System.Security.Cryptography.Pkcs.ContentInfo(data);
                var signedCms = new System.Security.Cryptography.Pkcs.SignedCms(contentInfo, true);

                var cmsSigner = new System.Security.Cryptography.Pkcs.CmsSigner(certificate);

                //  Sign the CMS/PKCS #7 message
                signedCms.ComputeSignature(cmsSigner);

                //  Encode the CMS/PKCS #7 message
               var ret = Convert.ToBase64String(signedCms.Encode());

 Message.Text += "Firmado con Certificado " + nombreCertificado + " encontrado en " + StoreLocation.LocalMachine;
 }
 catch (Exception ex)
 {
 Message.Text = "Error al firmar con certificado: " + ex.ToString();
 Message.Text += "<br /><br />InnerException: " + ex.InnerException;
 }

}

The code fails for me, and I get this error: Cannot find the certificate and private key for decryption.

Error line is:signedCms.ComputeSignature(cmsSigner);

Error al firmar con certificado: System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption.

at System.Security.Cryptography.Pkcs.PkcsUtils.CreateSignerEncodeInfo(CmsSigner signer, Boolean silent) at System.Security.Cryptography.Pkcs.SignedCms.Sign(CmsSigner signer, Boolean silent) at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer, Boolean silent) at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer) at ASP.dgsfp_test_testcert_aspx.FirmarConCertificado(String nombreCertificado, X509Certificate2 certificate) in c:\Company\App\Test\TestCert.aspx:line 242

Then, the admin user (I remember, who install the certificate) executes this commands:

FindPrivateKey My LocalMachine -t "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13" –c

FindPrivateKey My LocalMachine -n "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" –a

FindPrivateKey My LocalMachine -n "CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" –a

The result for all 3 commands is the same:

FindPrivateKey helps user to find the location of the Private Key file of a X.50 9 Certificate.

Usage: FindPrivateKey [{ {-n } | {-t } } [-f | -d | -a]]

subject name of the certificate

thumbprint of the certificate (use certmgr.exe to get it)

-f output file name only

-d output directory only

-a output absolute file name e.g. FindPrivateKey My CurrentUser -n "CN=John Doe"

e.g. FindPrivateKey My LocalMachine -t "03 33 98 63 d0 47 e7 48 71 33 62 64 76 5 c 4c 9d 42 1d 6b 52" -c

FindPrivateKey don't get anything, but winhttpcertcfg.exe -l works fine (matching certificate)

We have given privileges to the Network Service user using the winhttpcertcfg.exe tool, and in code ASP.NET (execute under Network Service account) the certificate is found. But fails when sign using certificate.

If someone could give us some information about, or suggestions

update:

User in domain "domainCompany\Pre_Certificado" install Certificate in Store Local Machine.

domainCompany\Pre_Certificado is Administrator, in IIS_WPG group, has Local Policies: "Log on as Service"

I configure AppPool Identity in IIS 6.0 for : domainCompany\Pre_Certificado

ASP.NET application executes using the identity :: domainCompany\Pre_Certificado

I recycle AppPool and execute application, I get System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption

If I test again, log in session in server IIS, using domainCompany\Pre_Certificado user, I call page in ASP.NET application and all is OK.

(note: log in server IIS using Terminal Server)

But if log off session in server IIS (user: domainCompany\Pre_Certificado), I get the same error:

System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption

Any suggestions ??

解决方案

Please check this document which would help you to resolve the issue. I would recommend to use following command option:

winhttpcertcfg -g -c LOCAL_MACHINE\My -s MyCertificate -a TESTUSER 

这篇关于证书：找不到用于解密的证书和私钥签名时出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！