无法在Azure中访问我的X509Certificate2的私钥 [英] Unable to access my X509Certificate2's PrivateKey In Azure
问题描述
我将X509证书存储在数据库中(在byte[]
中),以便我的应用程序可以检索证书并使用它对我的JWT进行签名.
I have my X509Certificate stored in a database (in byte[]
) so that my application can retrieve the certificate and use it to sign my JWTs.
我的x509Certificate是通过我在计算机上生成的.pfx文件传递的,但是现在它以字节字符串的形式位于数据库中.
My x509Certificate is passed off a .pfx file that I generated on my machine, however now it sits in a database as a string of bytes.
我的应用程序在运行时在本地运行良好.该应用程序可以正确创建该X509Certificate2的实例并将其用于我的要求,但是当我尝试在自己的azurewebsites Web应用程序中使用它时,就会出现问题.
My application works perfectly fine locally when I run it. The application can correctly create an instance of that X509Certificate2 and use it for my requirements, however the problem arises when I try to use it in my azurewebsites web application.
基本上我无法访问证书的PrivateKey实例变量,但出现异常
Basically I can not access the certificates' PrivateKey instance variable, I get an exception
System.Security.Cryptography.CryptographicException: Keyset does not exist
我正在用这个实例重新证明
And I am re-instantiating the certificate with this
var cert = new X509Certificate2(myCertInBytes, myCertPass,
X509KeyStorageFlags.PersistKeySet |
X509KeyStorageFlags.MachineKeySet |
X509KeyStorageFlags.Exportable);
我正在使用ASPNET 5 rc1-update1.我也尝试过在另一台计算机上运行它,并且运行良好,只有在发布到Azure时才出现此问题.并且要添加其他内容,当我运行与使用DNX版本beta7运行的项目相同的项目时,此应用程序正在运行.
I am using ASPNET 5 rc1-update1. I have also tried running this on a different machine and it works fine, only have this issue when I publish to Azure. And to also add something else, This application was working when I was running the same project that was running using DNX version beta7
任何帮助表示赞赏.
推荐答案
问题是Azure Web Apps限制了对计算机私钥存储的访问,因为它是共享的托管环境,并且您不完全拥有计算机.解决方法是,您可以加载证书.这篇博客文章介绍了如何做到这一点的最佳实践: https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/
The problem is the Azure Web Apps restricts access to the machines private key store, since it's a shared hosting environment, and you don't fully own the machine. As a workaround, you can load a cert. This blog post describes the best practice on how to do so: https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/
请注意,这仅适用于基本层及更高级别(不适用于免费或共享层).
Please note that this only works for Basic Tier and above (not Free or Shared tier).
也可以按照以下方式从.cer文件中完成此操作,但是应注意,这不是最佳实践,因为您以不安全的格式将安全凭据存储在代码中.
This can also be done from a .cer file as follows, however it should be noted that this is not best-practices since you're storing a secure credential with your code, in an insecure format.
public X509Certificate2 CertificateFromStrings(String certificateString64, String privateKeyXml)
{
try
{
var rsaCryptoServiceProvider = new RSACryptoServiceProvider();
rsaCryptoServiceProvider.FromXmlString(privateKeyXml);
var certificateBytes = Convert.FromBase64String(certificateString64);
var x509Certificate2 = new X509Certificate2(certificateBytes);
x509Certificate2.PrivateKey = rsaCryptoServiceProvider;
return x509Certificate2;
}
catch
{
return null;
}
}
这篇关于无法在Azure中访问我的X509Certificate2的私钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!