.NET Framework x509Certificate2类,HasPrivateKey == true&&PrivateKey ==空吗? [英] .NET Framework x509Certificate2 Class, HasPrivateKey == true && PrivateKey == null?
问题描述
我正在尝试使用X509证书,该证书最初是使用MMC的证书"管理单元导入Windows 10计算机上的CurrentUser密钥库中的.在Windows 8.1计算机上已经测试了相同的步骤,并且结果相同.
I'm attempting to work with an X509 certificate that was originally imported into the CurrentUser keystore on a Windows 10 computer using the "Certificates" snap-in of an MMC. The same procedure has been tested on a Windows 8.1 computer with the same result.
使用标准的PowerShell PKI模块,我使用Get-Item获取X509Certificate2对象:
Using the standard PowerShell PKI module, I'm getting an X509Certificate2 object using Get-Item:
$my_cert = Get-Item Cert:\CurrentUser\My\ADAA82188A17THUMBPRINTXXXXXXXXXXX
$ my_cert的输出|fl * 如下:
PSPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\XXXXXXXXXXXXXXXXXXX
PSParentPath : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSChildName : XXXXXXXXXXXXXXXXXXX
PSDrive : Cert
PSProvider : Microsoft.PowerShell.Security\Certificate
PSIsContainer : False
EnhancedKeyUsageList : {Secure Email (1.3.6.1.5.5.7.3.4), IP security user (1.3.6.1.5.5.7.3.7), Encrypting File
System (1.3.6.1.4.1.311.10.3.4), Document Signing (1.3.6.1.4.1.311.10.3.12)...}
DnsNameList : {My Name}
SendAsTrustedIssuer : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId : {D52C406F-C279-4BF2-B7C2-EE704290DB3E}
Archived : False
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName :
IssuerName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter : 4/15/2017 2:15:16 PM
NotBefore : 4/15/2016 2:15:16 PM
HasPrivateKey : True
PrivateKey :
PublicKey : System.Security.Cryptography.X509Certificates.PublicKey
RawData : {56, 130, 19, 252...}
SerialNumber : 4F0000002F700000000000000000000000
SubjectName : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint : XXXXXXXXXXXXXXXXXXX
Version : 3
Handle : 2241663016272
Issuer : CN=Issuing CA, DC=My, DC=Domain, DC=us
Subject : E=my.name@my.domain.us, CN=My Name
因此HasPrivateKey == True,但PrivateKey == null.我一直在尝试找出如何访问私钥以执行加密和解密.我在网上看到的所有示例似乎都表明X509Certificate2类的PrivateKey属性应该是随时可用的,但是显然我错过了一些东西.
So HasPrivateKey == True, but PrivateKey == null. I've been trying to figure out how to gain access to the private key to perform encryption and decryption. The examples I've seen online all seem to indicate the PrivateKey property of the X509Certificate2 class should be readily available, but apparently I've missed something.
我在这里阅读了类似的问题,例如 x509certificate2中的空私钥,但没有一个似乎解决了我的问题.我还阅读了Paul Stovell的在.NET中使用X.509证书的八点提示,很有启发性,但最终没有帮助.它确实帮助我验证了私钥是否存在于正确的位置,并且据我所知,具有通过x509Certificate2类引用的正确权限:
I've read similar questions here, such as Empty PrivateKey in x509certificate2, but none seem to resolve my issue. I've also read Eight tips for working with X.509 certificates in .NET by Paul Stovell, which was very enlightening, but ultimately didn't help. It did help me verify that the Private Key exists in the correct place and, as far as I can tell, with the correct permissions to be referenced by the x509Certificate2 class:
C:\Users\My.Name\AppData\Roaming\Microsoft\SystemCertificates\My\Keys
密钥文件的名称与证书上的主题密钥标识符匹配.
The name of the key file matches to the Subject Key Identifier on the certificate.
certutil -user -store我的序列号" 的输出是:
The output of certutil -user -store my "Serial Number" is:
Serial Number: 4f000000xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=Issuing CA, DC=My, DC=Domain, DC=us
NotBefore: 4/15/2016 2:15 PM
NotAfter: 4/15/2017 2:15 PM
Subject: E=my.name@my.domain.us, CN=My Name
Non-root Certificate
Template: Userv1, User v1
Cert Hash(sha1): ad ab 82 18 8a 17 4d 75 11 04 48 7c 43 43 d4 05 b9 74 c8 4c
Key Container = te-Userv1-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Unique container name: fcbba1aa0xxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Provider = Microsoft Software Key Storage Provider
Encryption test passed
CertUtil: -store command completed successfully.
我在这里缺少什么关键"信息?为什么不能方便地从X509Certificate2对象引用私钥?我如何获得它?
What "key" piece of information am I missing here? Why isn't the private key conveniently referenced from the X509Certificate2 object? How do I gain access to it?
推荐答案
这可能表示以下其中一项:
This may indicate one of the following:
1)私钥存储在密钥存储提供程序(而不是旧式加密服务提供程序)中,.NET对它的支持不佳,而 X509Certificate2 的 PrivateKey 属性不支持代码>类.您可以通过运行以下命令进行检查:
1) the private key is stored in the Key Storage Provider (rather than legacy crypto service provider) which is poorly supported by .NET and not supported by PrivateKey property of X509Certificate2 class at all. You can check this by running the following command:
certutil -user -store my "<CertSerialNumber>"
2)私钥丢失.
HasPrivateKey 属性不一定反映实际图片,对于不存在的键可能为 True ,对于现有键可能为 False .运行上面的certutil命令以确保是否显示了密钥.
HasPrivateKey property doesn't necessary reflect the actual picture and may True for non-existent keys or False for existing keys. Run the certutil command above to make sure if the key is presented.
如果提供了私钥,但绑定已损坏,则可以尝试通过运行以下命令来还原绑定:
In the case if private key is presented, but the bindings are broken, you can try to restore bindings by running the following command:
certutil -user -repairstore my "<CertSerialNumber>"
这篇关于.NET Framework x509Certificate2类,HasPrivateKey == true&&PrivateKey ==空吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
