如何在.NET code X509证书操作 [英] How to operate with X509 certificates in .NET code

问题描述

我有一些code需要与X509证书信息工作。我已经下载了一个样本，做这样的：

I have some code that needs to work with X509 Certificate information. I have downloaded a sample that does this:

const string CertWithoutPrivateKey = "MII....";
const string CertWithPrivateKey = "MII...";

public static SecurityToken GetSigningToken(bool includePrivateKey)
{
    X509Certificate2 cert = null;
    if (includePrivateKey)
    {
        cert = new X509Certificate2(
            Convert.FromBase64String(CertWithPrivateKey), 
            "pw", X509KeyStorageFlags.PersistKeySet);
    }
    else
    {
        cert = new X509Certificate2(
            Convert.FromBase64String(CertWithoutPrivateKey));
    }
    return cert;
}

在code需要能够使用私钥来获得证书。该Saml2AuthenticationModule（从WIF扩展了SAML 2.0协议）依赖于这个私钥来解密从SAML身份提供程序发送的信息。

The code needs to be able to get the cert with the private key. The Saml2AuthenticationModule (from the WIF Extension for the SAML 2.0 Protocol) relies on this private key to decrypt information sent from a SAML Identity Provider.

我不知道很多有关证书或加密，但在我看来，硬编码证书到一类是不安全的。

I don't know much about certificates or encryption, but it seems to me that hard-coding the certificate into a class is not secure.

那么，应该如何我的code去用私钥检索证书？据我所知，这code仅运行在应用程序启动一次（所以也可能应用程序后，池回收）。

So, how should my code go about retrieving the cert with private key? Afaik, this code is only run one time at app startup (so probably also after an app pool recycle).

我可以：

1. 存放证书作为配置文件的appSetting。只要是的appSettings配置加密，这是安全的？


2. 存储在数据库中的证书。


3. 存放证书作为斌/的App_Data文件。据我所知，这意味着它不能在网上阅读，但会在普通视图的人谁可以访问主机服务器。伊莫如果有人可以进入我的服务器，让他们读这个证书可能是最我的后顾之忧。

是否还有其他选择吗？什么是最合适在这种情况下？

Are there any other options? What is most appropriate in this case?

推荐答案

我不知道WIF是怎么做的（你也许可以使用反射来看看它是如何与证书存储交互的内部），但它听起来像你在IIS托管应用程序中使用WIF。如果是这样的话， WIF应采取一切为你证书的相互作用照顾。你只需要确保你有以下的东西设置：

I'm not sure how WIF does it (you could probably use Reflector to see the internals of how it interacts with the certificate store), but it sounds like you are using WIF in an application hosted in IIS. If that's the case, WIF should take care of all the certificate interactions for you. You'll just have to make sure you have the following things set up:

1. 身份模型配置部分成立了以指纹引用证书使用的是要么加密或验证令牌的数字签名。


2. 证书需要在IIS 登记


3. 应用程序池的托管身份需要有权限为读取证书提取私钥信息（见接受的答案<一个href=\"http://stackoverflow.com/questions/2609859/how-to-give-asp-net-access-to-a-private-key-in-a-certificate-in-the-certificate\">here)

1. The identity model configuration section set up with references to the thumbprint of the certificate you are using to either encrypt or verify the digital signature of the token.
2. The certificate needs to be registered in IIS
3. The application pool's hosting identity needs to have permission to "read" the certificate to extract the private key information (see the accepted answer here)

这篇关于如何在.NET code X509证书操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！