修改已安装证书的安全性 [英] Modifying security on installed certificates

问题描述

我们正在努力为基于WCF的Web服务创建安装包。该服务通过已安装的证书使用消息级加密。我想要一个自动化的方式安装证书并设置其权限。

目前，我们正在通过MMC管理单元手动安装证书。安装后，我们需要找到包含已安装证书的文件，并修改权限，以便网络服务帐户可以访问它。我知道找到该文件的唯一方法是打开... \Microsoft\Crypto\RSA\MachineKeys文件夹（确切的路径根据平台不同），并标识具有最近修改日期的文件。

我想我们将使用WIX来创建安装包。 WIX具有安装证书的特定功能，但我假设权限仍然是一个问题。是否有一些实用程序或API或其他方法来获取由主题名称（或类似名称）标识的已安装证书的物理路径。

当然，直接解决这个问题。

感谢您对此问题的任何帮助。

解决方案

资料来源：最低特权

在托管代码中没有干净的方法。一般程序为：

1. 选择凭证


2. 从凭证的PrivateKey属性建立RSACryptoServiceProvider物件


3. 检索UniqueKeyContainerName属性。


4. 在存储键的各个位置搜索此文件名。在ApplicationData下的UserData用于用户键和CommonApplicationData用于计算机密钥

如果您想在自定义操作中执行此操作，在C ++中。 （管理的自定义操作大多数时候不是一个好主意。）

如果您只想设置ACL，有两个工具可以为您做： / p>

• WinHttpCertCfg.exe


• WSE3中包含的证书工具

查看详细信息的链接，希望这有助于！

We are working on creating an installation package for a WCF-based web service. The service uses message-level encryption via an installed certificate. I am trying to come up with an automated way to both install the certificate and set its permissions.

Currently, we are manually installing the certificate via the MMC snap-in. After it is installed, we need to find the file containing the installed certificate and modify the permissions so that the Network Service account can access it. The only way I know to find the file is to open the "...\Microsoft\Crypto\RSA\MachineKeys" folder (exact path differs based on platform) and identify the file with the most recent modified date.

I'm thinking we'll use WIX to create the installation package. WIX has a specific feature for installing a certificate, but I assume permissions will still be an issue. Is there some utility or API or other means to get the physical path for an installed certificate identified by the subject name (or similar).

Of course, maybe there's a more direct solution to this problem.

Thanks for any help with this issue.

解决方案

Source: Least Privilege

There is no clean way to do that in managed code. The general procedure is:

1. Select a certificate
2. Create an RSACryptoServiceProvider object from the certificate's PrivateKey property
3. Retrieve the UniqueKeyContainerName property.
4. Search for this file name in the various locations where keys are stored. Thats under ApplicationData for user keys and CommonApplicationData for machine keys

If you want to do this in a custom action, I recommend you do this in C++. (Managed Custom Actions are most of the time not a good idea.)

If you only want to set ACLs, there are two tools that can do that for you:

• WinHttpCertCfg.exe
• The certificates tool included in WSE3

See the link for the details, hope this helps!

这篇关于修改已安装证书的安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！