无法在Azure中访问我的X509Certificate2的私钥 [英] Unable to access my X509Certificate2's PrivateKey In Azure

问题描述

我将X509证书存储在数据库中(在byte[]中)，以便我的应用程序可以检索证书并使用它对我的JWT进行签名.

I have my X509Certificate stored in a database (in byte[]) so that my application can retrieve the certificate and use it to sign my JWTs.

我的x509Certificate是通过我在计算机上生成的.pfx文件传递的，但是现在它以字节字符串的形式位于数据库中.

My x509Certificate is passed off a .pfx file that I generated on my machine, however now it sits in a database as a string of bytes.

我的应用程序在运行时在本地运行良好.该应用程序可以正确创建该X509Certificate2的实例并将其用于我的要求，但是当我尝试在自己的azurewebsites Web应用程序中使用它时，就会出现问题.

My application works perfectly fine locally when I run it. The application can correctly create an instance of that X509Certificate2 and use it for my requirements, however the problem arises when I try to use it in my azurewebsites web application.

基本上我无法访问证书的PrivateKey实例变量，但出现异常

Basically I can not access the certificates' PrivateKey instance variable, I get an exception

System.Security.Cryptography.CryptographicException: Keyset does not exist

我正在用这个实例重新证明

And I am re-instantiating the certificate with this

var cert = new X509Certificate2(myCertInBytes, myCertPass,
            X509KeyStorageFlags.PersistKeySet |
            X509KeyStorageFlags.MachineKeySet |
            X509KeyStorageFlags.Exportable);

我正在使用ASPNET 5 rc1-update1.我也尝试过在另一台计算机上运行它，并且运行良好，只有在发布到Azure时才出现此问题.并且要添加其他内容，当我运行与使用DNX版本beta7运行的项目相同的项目时，此应用程序正在运行.

I am using ASPNET 5 rc1-update1. I have also tried running this on a different machine and it works fine, only have this issue when I publish to Azure. And to also add something else, This application was working when I was running the same project that was running using DNX version beta7

任何帮助表示赞赏.

推荐答案

问题是Azure Web Apps限制了对计算机私钥存储的访问，因为它是共享的托管环境，并且您不完全拥有计算机.解决方法是，您可以加载证书.这篇博客文章介绍了如何做到这一点的最佳实践: https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/

The problem is the Azure Web Apps restricts access to the machines private key store, since it's a shared hosting environment, and you don't fully own the machine. As a workaround, you can load a cert. This blog post describes the best practice on how to do so: https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/

请注意，这仅适用于基本层及更高级别(不适用于免费或共享层).

Please note that this only works for Basic Tier and above (not Free or Shared tier).

也可以按照以下方式从.cer文件中完成此操作，但是应注意，这不是最佳实践，因为您以不安全的格式将安全凭据存储在代码中.

This can also be done from a .cer file as follows, however it should be noted that this is not best-practices since you're storing a secure credential with your code, in an insecure format.

public X509Certificate2 CertificateFromStrings(String certificateString64, String privateKeyXml)
{
    try
    {
        var rsaCryptoServiceProvider = new RSACryptoServiceProvider();
        rsaCryptoServiceProvider.FromXmlString(privateKeyXml);

        var certificateBytes = Convert.FromBase64String(certificateString64);
        var x509Certificate2 = new X509Certificate2(certificateBytes);
        x509Certificate2.PrivateKey = rsaCryptoServiceProvider;

        return x509Certificate2;
    }
    catch
    {
        return null;
    }
}

这篇关于无法在Azure中访问我的X509Certificate2的私钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！