Azure Web应用程序新的X509Certificate2()导致System.Security.Cryptography.CryptographicException:访问被拒绝 [英] Azure Web Application new X509Certificate2() causing System.Security.Cryptography.CryptographicException: Access denied

问题描述

现在我正在上传.pfx文件，输入密码并调用

Right now I am uploading a .pfx file, taking in a password and calling

var cert = new X509Certificate2(fileData, password);

并存储诸如指纹之类的东西.我不需要将其实际存储在服务器上，只需验证它是有效的证书并存储一些信息即可.在本地，这很有效(显然，我可以更好地访问我的密钥存储区)，但是当我将其放到天蓝色时，会出现错误:

And storing things like the thumbprint, etc. I do not need to actually store this on the server, just validate that it is a valid cert and store some information. On local this works (obviously I have better access to my key store) but when I put it up in azure I get the error:

System.Security.Cryptography.CryptographicException:访问被拒绝.

System.Security.Cryptography.CryptographicException: Access denied.

是否有任何方法可以使此信息避开此方法或使用此方法而不会导致访问被拒绝?我对证书不是很好，因此，如果您需要更多信息，请告诉我.谢谢.

Is there any way to get this information sidestepping this or to use this method without getting an access denied? I am not very good with certs, so let me know if you need more information. Thank you.

推荐答案

在Windows上打开PFX时，任何私钥都会写入磁盘.它们将在以后被删除(除非您指定PersistKeySet)，但是它们仍然必须被写入(ish).

When opening a PFX on Windows any private keys get written to disk. They will get deleted later (unless you specify PersistKeySet), but they do still have to be written (ish).

他们写在哪里?

• 如果指定 X509KeyStorageFlags.MachineKeySet :在计算机密钥库中，您需要成为管理员.
• 如果您指定 X509KeyStorageFlags.UserKeySet :在用户密钥库中，您的用户配置文件可能需要存在/加载.
• 如果您未指定任何一个:
  • 如果PFX 本身已将密钥编码为机器密钥集中的密钥，则机器密钥库(需要管理员).
  • 否则，用户密钥库(可能需要配置文件).
  • If you specify X509KeyStorageFlags.MachineKeySet: In the machine keystore, you need to be an administrator.
  • If you specify X509KeyStorageFlags.UserKeySet: In the user keystore, your user profile probably needs to exist/load.
  • If you don't specify either:
    • If the PFX itself has encoded that the key belongs in the machine key set, then the machine keystore (admin required).
    • Otherwise the user keystore (profile probably required).

    给出拒绝访问"信息，我猜您是在PFX本身指定了机器密钥库的情况下解决的，您可以将呼叫更改为

    Given "Access Denied" I'd guess that you hit the case where the PFX itself specified the machine keystore, to resolve this you'd change your call to

    新的X509Certificate2(文件数据，密码，X509KeyStorageFlags.UserKeySet)

    ，一切都会正常.如果指定UserKeySet仍然出现错误，则可能是配置文件加载问题.

    and everything should work. If you specify UserKeySet and still get an error, that might a profile-loading problem.

    有一个 选项，可以在不将私钥写入磁盘的情况下加载PFX，但它在.NET Framework中不可用(尽管最近已将其添加到.NET Core中).如果您确实需要它，可以查看p/invoking PFXImportCertStore 与 PKCS12_NO_PERSIST_KEY 标志，然后将结果HCERTSTORE值传递给

    There is an option to load a PFX without writing the private keys to disk, but it's not available in .NET Framework (though it was recently added to .NET Core). If you really need it you could look into p/invoking PFXImportCertStore with the PKCS12_NO_PERSIST_KEY flag, then pass the resultant HCERTSTORE value to X509Store.ctor(IntPtr) and read your certificate(s) via the X509Store.Certificates property. Note, though, that most of .NET Framework won't understand that these cert objects have associated private keys, so they'll likely only behave as public-only certificate objects.

    这篇关于Azure Web应用程序新的X509Certificate2()导致System.Security.Cryptography.CryptographicException:访问被拒绝的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！