Azure KeyVault如何加载X509证书? [英] Azure KeyVault how to load X509Certificate?
问题描述
我将证书上传到Azure KeyVault,并使用在Active Directory中注册的应用程序获得了对它的全部"访问权限.一切正常.现在,我需要将获得的密钥加载到X509Certificate中,以便能够将其用作调用3rdparty旧式SOAP Web服务的客户端证书.据我所知,我只能使用X509证书来调用该Web服务.
I uploaded a Certificate to Azure KeyVault and obtained "all" access to it using an application registered into the Active Directory. That all works fine. Now I need to load the obtained key into an X509Certificate to be able to use it as a client certificate for calling a 3rdparty legacy SOAP webservice. As far as I know I can only use a X509Certificate to call that webservice.
我以密钥或机密形式上传文件都没关系吗?我都尝试过.
It does not matter if I upload it as a Key or Secret? I have tried both.
var clientId = "...."
var clientSecret = "...."
..
var token = authenticationContext.GetAccessToken(resource, adCredential);
var keyClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(token));
KeyBundle key = keyClient.GetKeyAsync("https://mycertifcates.vault.azure.net/keys/MyCertificate/123456789");
到目前为止,我得到了一个KeyBundle,看来我可以将其转换为Base64String了,但是无论如何,我最终都会遇到异常:(
So far so good, I got a KeyBundle as a result and it seems like I can convert it to a Base64String, but whatever I try I end up with exceptions :(
我尝试过的第一次尝试:
1st attempt I tried:
var publicKey = Convert.ToBase64String(key.Key.N);
var cert = X509Certificate.FromBase64String(publicKey);
System.Security.Cryptography.CryptographicException {找不到所请求的对象.\ r \ n"}
System.Security.Cryptography.CryptographicException {"Cannot find the requested object.\r\n"}
啊
第二次尝试,将其加载到RSACryptoServiceProvider中,但是该怎么办?结果导致了同样的异常,如果我愿意,我什至无法获得私钥
2nd attempt, loading it into an RSACryptoServiceProvider, but what to do with that? Results into the same exception and I'm not even able to get the private key if I want to
var rsaCryptoProvider = new RSACryptoServiceProvider();
var rsaParameters = new RSAParameters()
{
Modulus = key.Key.N,
Exponent = key.Key.E
};
rsaCryptoProvider.ImportParameters(rsaParameters);
var cspBlob = rsaCryptoProvider.ExportCspBlob(false);
// what to do with the cspBlob ?
var publicKey = Convert.ToBase64String(cspBlob);
也没有私钥,公钥是不同的.当然,这也不起作用.
No private key as well, the public key is different. Ofcourse this does not work either.
第三次尝试
3rd attempt
我使用管理门户将其作为秘密证书ContentType上传.
I uploaded it as a Secret Certificate ContentType using the management portal.
var secret = helper.GetSecret("https://myCertificate.vault.azure.net/secrets/MyCertificate/1234567890");
var value = secret.Value;
// Now I got the secret.. works flawless
// But it crash with the same exception at .Import
var exportedCertCollection = new X509Certificate2Collection();
exportedCertCollection.Import(Convert.FromBase64String(value));
var cert2 = exportedCertCollection.Cast<X509Certificate2>().Single(s => s.HasPrivateKey);
System.Security.Cryptography.CryptographicException {找不到 请求的对象.\ r \ n}
System.Security.Cryptography.CryptographicException {"Cannot find the requested object.\r\n"}
欢迎任何建议.
我需要包含私钥的pfx,查看跟踪日志
I need the pfx including private key, looking at the tracelog
ystem.Net信息:0:[37880] SecureChannel#23107755-左侧有1个客户端证书可供选择. System.Net信息:0:[37880] SecureChannel#23107755-试图在证书存储中找到匹配的证书. System.Net信息:0:[37880] SecureChannel#23107755-查找证书的私钥:[主题]
ystem.Net Information: 0 : [37880] SecureChannel#23107755 - Left with 1 client certificates to choose from. System.Net Information: 0 : [37880] SecureChannel#23107755 - Trying to find a matching certificate in the certificate store. System.Net Information: 0 : [37880] SecureChannel#23107755 - Locating the private key for the certificate: [Subject]
推荐答案
回答我自己的问题(我想我问得太快了)
To answer my own question (I asked it too quickly I guess)
事实证明,这个问题实际上是重复的,但起初我并不理解.事实是,Azure管理门户受到限制.目前,只能使用Powershell(或与此相关的其他代码)来完成证书的上传.
It turns out that this question was in fact a duplicate, but I did not understand it at first. The fact is that the Azure Management Portal is limited. For now uploading a certificate can only be done by using a powershell (or other code for that matter).
https://stackoverflow.com/a/34186811/578552
第3次尝试代码对于X509Certificate2可以正常工作
The 3rd attempt code works fine for the X509Certificate2
var secret = helper.GetSecret("https://myCertificate.vault.azure.net/secrets/MyCertificate/1234567890");
var exportedCertCollection = new X509Certificate2Collection();
exportedCertCollection.Import(Convert.FromBase64String(secret.Value));
var cert2 = exportedCertCollection.Cast<X509Certificate2>().Single(s => s.HasPrivateKey);
这篇关于Azure KeyVault如何加载X509证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!