Azure KeyVault如何加载X509证书? [英] Azure KeyVault how to load X509Certificate?

问题描述

我将证书上传到Azure KeyVault，并使用在Active Directory中注册的应用程序获得了对它的全部"访问权限.一切正常.现在，我需要将获得的密钥加载到X509Certificate中，以便能够将其用作调用3rdparty旧式SOAP Web服务的客户端证书.据我所知，我只能使用X509证书来调用该Web服务.

I uploaded a Certificate to Azure KeyVault and obtained "all" access to it using an application registered into the Active Directory. That all works fine. Now I need to load the obtained key into an X509Certificate to be able to use it as a client certificate for calling a 3rdparty legacy SOAP webservice. As far as I know I can only use a X509Certificate to call that webservice.

我以密钥或机密形式上传文件都没关系吗?我都尝试过.

It does not matter if I upload it as a Key or Secret? I have tried both.

var clientId = "...."
var clientSecret = "...."

..
var token = authenticationContext.GetAccessToken(resource, adCredential);
var keyClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(token));
KeyBundle key = keyClient.GetKeyAsync("https://mycertifcates.vault.azure.net/keys/MyCertificate/123456789");

到目前为止，我得到了一个KeyBundle，看来我可以将其转换为Base64String了，但是无论如何，我最终都会遇到异常:(

So far so good, I got a KeyBundle as a result and it seems like I can convert it to a Base64String, but whatever I try I end up with exceptions :(

我尝试过的第一次尝试:

1st attempt I tried:

            var publicKey = Convert.ToBase64String(key.Key.N);
            var cert = X509Certificate.FromBase64String(publicKey);

System.Security.Cryptography.CryptographicException {找不到所请求的对象.\ r \ n"}

System.Security.Cryptography.CryptographicException {"Cannot find the requested object.\r\n"}

啊

第二次尝试，将其加载到RSACryptoServiceProvider中，但是该怎么办?结果导致了同样的异常，如果我愿意，我什至无法获得私钥

2nd attempt, loading it into an RSACryptoServiceProvider, but what to do with that? Results into the same exception and I'm not even able to get the private key if I want to

        var rsaCryptoProvider = new RSACryptoServiceProvider();
        var rsaParameters = new RSAParameters()
        {
            Modulus = key.Key.N,
            Exponent = key.Key.E
        };
        rsaCryptoProvider.ImportParameters(rsaParameters);
        var cspBlob = rsaCryptoProvider.ExportCspBlob(false);

        // what to do with the cspBlob ?
        var publicKey = Convert.ToBase64String(cspBlob);

也没有私钥，公钥是不同的.当然，这也不起作用.

No private key as well, the public key is different. Ofcourse this does not work either.

第三次尝试

3rd attempt

我使用管理门户将其作为秘密证书ContentType上传.

I uploaded it as a Secret Certificate ContentType using the management portal.

            var secret = helper.GetSecret("https://myCertificate.vault.azure.net/secrets/MyCertificate/1234567890");

            var value = secret.Value;

            // Now I got the secret.. works flawless
            // But it crash with the same exception at .Import
            var exportedCertCollection = new X509Certificate2Collection();
            exportedCertCollection.Import(Convert.FromBase64String(value));
            var cert2 = exportedCertCollection.Cast<X509Certificate2>().Single(s => s.HasPrivateKey);

System.Security.Cryptography.CryptographicException {找不到 请求的对象.\ r \ n}

System.Security.Cryptography.CryptographicException {"Cannot find the requested object.\r\n"}

欢迎任何建议.

我需要包含私钥的pfx，查看跟踪日志

I need the pfx including private key, looking at the tracelog

ystem.Net信息:0:[37880] SecureChannel#23107755-左侧有1个客户端证书可供选择. System.Net信息:0:[37880] SecureChannel#23107755-试图在证书存储中找到匹配的证书. System.Net信息:0:[37880] SecureChannel#23107755-查找证书的私钥:[主题]

ystem.Net Information: 0 : [37880] SecureChannel#23107755 - Left with 1 client certificates to choose from. System.Net Information: 0 : [37880] SecureChannel#23107755 - Trying to find a matching certificate in the certificate store. System.Net Information: 0 : [37880] SecureChannel#23107755 - Locating the private key for the certificate: [Subject]

推荐答案

回答我自己的问题(我想我问得太快了)

To answer my own question (I asked it too quickly I guess)

事实证明，这个问题实际上是重复的，但起初我并不理解.事实是，Azure管理门户受到限制.目前，只能使用Powershell(或与此相关的其他代码)来完成证书的上传.

It turns out that this question was in fact a duplicate, but I did not understand it at first. The fact is that the Azure Management Portal is limited. For now uploading a certificate can only be done by using a powershell (or other code for that matter).

https://stackoverflow.com/a/34186811/578552

第3次尝试代码对于X509Certificate2可以正常工作

The 3rd attempt code works fine for the X509Certificate2

        var secret = helper.GetSecret("https://myCertificate.vault.azure.net/secrets/MyCertificate/1234567890");

        var exportedCertCollection = new X509Certificate2Collection();
        exportedCertCollection.Import(Convert.FromBase64String(secret.Value));
        var cert2 = exportedCertCollection.Cast<X509Certificate2>().Single(s => s.HasPrivateKey);

这篇关于Azure KeyVault如何加载X509证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！