IIS托管api上的GetClientCert不正确 [英] GetClientCert is not picking up on IIS hosted api
问题描述
我尝试在WEB API上手动验证证书.问题一直存在,GetClientCertificate只返回null.
I tried to validate cert manually on WEB API. Issue is all time, GetClientCertificate just returns null.
var certRequest= actionContext.Request.GetClientCertificate();
certRequest == null ? "Certificate not found" : $"Certificate found";
IIS网站就像 https://testapi.web.com 附加在SSL上的证书文件显示为DNS = *.web.com. 证书存储区中还有另一个证书文件,但是未与HTTPS绑定一起映射. 该DNS = cl-testapi.web.com
IIS web site is like, https://testapi.web.com cert file that attached on SSL is appear as DNS=*.web.com . there is another cert file its on cert store and but, not mapped along with HTTPS binding. that DNS =cl-testapi.web.com
我尝试同时提供客户端调用中的证书文件,并且每次都将GetClientCertificate文件接收为空.
I tried to supply both the cert file from client call and each time, GetClientCertificate file received as null.
client side code:
var handler = new HttpClientHandler()
{
SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls | SslProtocols.Ssl3 | SslProtocols.Ssl2
};
handler.ClientCertificates.Add(new X509Certificate2(@"c:\testcert.cer"));
var client = new HttpClient(handler);
var data = new StringContent([xmlcontent], Encoding.UTF8, "application/xml");
var result = client.PostAsync("https://testapi.web.com", data).GetAwaiter().GetResult();
var resultString = result.Content.ReadAsStringAsync().GetAwaiter().GetResult();
任何人都可以提出这是什么错误的信息.
Can any one suggest what is wrong on this.
验证接受".作为SSL设置.此外,两个证书文件均有效,并且在使用"GetClientCert"时,nighter可以在服务器api上进行选择.
verified, IIS has, "accept" as SSL setting. Also, both the cert files are valid and neighter is able to pick on server api while using 'GetClientCert'.
//////////// 尝试过使用证书文件在客户端证书存储上搜索并附加
/////////// Tried with cert file to search on client cert store and attach,
var handler = new HttpClientHandler()
{
SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls | SslProtocols.Ssl3 | SslProtocols.Ssl2
};
X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certCollection = store.Certificates.Find(X509FindType.FindByThumbprint, "thumbprintGUID COPIED FROM CLIENT CERT", false);
handler.ClientCertificates.Add(certCollection[0]);
var client = new HttpClient(handler);
//notes,这里的certCollection[0].HasPrivateKey是false.
//notes, certCollection[0].HasPrivateKey is false here.
更新:
现在请求使用PFX文件和密码.我可以看到,私钥的存在是正确的.
certCollection[0].HasPrivateKey在这里是true.但是,没有收到GetClientCert.
Update:
Now requesting using, PFX file and password. I can see, Private key exists is true.
certCollection[0].HasPrivateKey is true here. But, GetClientCert is not received.
推荐答案
您可以尝试更正c:\ ProgramData \ Microsoft \ Crypto \ RSA \ MachineKeys文件夹上的权限,以解决10013错误.
You can try to correct the permissions on the c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder to solve the 10013 error.
- 所有人访问权限:特殊适用于:仅此文件夹
- 网络服务访问:阅读和阅读执行应用于:此文件夹,子文件夹和文件
- 管理员访问权限:完全控制权限应用于:此文件夹,子文件夹和文件
- 系统访问:完全控制应用于:此文件夹,子文件夹和文件
- IUSR访问:完全控制应用于:此文件夹,子文件夹和文件
这篇关于IIS托管api上的GetClientCert不正确的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
