本地机器的“受信根”的私钥信任权限证书 [英] PrivateKey trust permissions for local machine "Trusted roots" certificates
问题描述
我有一个必须导入到证书/受信任的根证书颁发机构的证书,并且具有相应的私钥。
I have a certificate that has to be imported into Certificates/Trusted Root Certification Authorities and has a corresponding private key.
从代码访问密钥需要设置私钥权限,以授予对特定IIS应用程序池的完全访问权限。我完全理解,但问题是,这只能设置在个人证书,而不是信任的根证书。
To actually access the key from code you need to set private key permissions to grant full access to particular IIS application pool. I totally understand that but the problem is that this can only be set on personal certificates and not trusted root ones.
我尝试添加相同的证书到个人商店和以下代码不会中断:
I've tried adding the same certificate to Personal store and the following code doesn't break:
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
foreach (X509Certificate2 cert in store.Certificates)
{
if (cert.HasPrivateKey)
{
// access private key here
}
}
store.Close();
如果我更改 StoreName.Root 到 StoreName.My 。我可以访问它。但我无法在根目录访问它。它只是说:
Setting permissions on certificate in personal store works if I change StoreName.Root to StoreName.My. I'm able to access it there. But I'm not able to access it in root. It just says:
密钥集不存在
有任何建议吗?
池标识设置为本地系统(对我的计算机具有完全权限),我可以成功访问私钥。因此,主要的问题是如何设置我的应用程序池身份的权限,以便可以访问受信任的根存储中的证书的私钥。
If I set my application pools identity to Local System (which has total permissions over my machine) I can successfully access private key. So the main question is how do I set permissions on my application pool identity to have access to private keys for certificates in the Trusted Root store.
为什么信任根商店而不是个人?
我有一个预先构建的程序集,可访问此特定商店中的此证书,因此将证书放在个人存储中不会为我做的伎俩。这就是为什么必须为受信任的根证书的私钥设置信任权限。
Why trusted root store and not personal?
I have a pre-built assembly that accesses this certificate in this particular store, so simply placing the certificate in Personal store won't do the trick for me. That's why setting trust permissions on private keys of trusted root certificates is imperative.
推荐答案
'尝试这与受信任的根证书颁发机构,但我发现是与其他证书商店做最简单的事情是将证书拖放到个人商店,然后设置权限,然后拖放回原始证书商店。在您的情况下是受信任的根证书颁发机构。
I haven't tried this with the Trusted Root Certification Authorities but what I have found is the simplest thing to do with other Certificate Stores is to drag and drop the certificate into the Personal Store and then set permissions and then drag and drop back to the original certificate store. In your case the Trusted Root Certification Authorities.
使用证书MMC的步骤:
Steps using Certificates MMC:
- 将凭证汇入您所需的商店,并将金钥标记为可汇出。(您可以绕过此项目,直接汇入个人商店,但我尚未尝试。)
- 将导入的证书拖放到个人存储。
- 右键单击个人存储中的证书,然后在上下文菜单中单击所有任务,然后在子菜单单击管理私钥。根据您的应用程式集设定适当的权限在步骤1中引用。
- 设置权限后,将证书拖放到原始存储受信任的根证书颁发机构)。
- Import certificate to the store you want it and mark keys as exportable. (You might be able to bypass this and import directly to the Personal Store, but I haven't tried.)
- Drag and drop the imported cert to the Personal Store.
- Right click the certificate in the Personal Store and in the context menu, click "All Tasks", then in the submenu click on "Manage Private Keys". Set the appropriate permissions according to your app pool as referenced in step 1.
- After permissions have been set, drag and drop the certificate back to the original store (in your case the Trusted Root Certification Authorities).
这篇关于本地机器的“受信根”的私钥信任权限证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
