如何使用.NET Core 2中存储在Azure Key Vault中的PFX证书中的私钥? [英] How do I use the private key from a PFX certificate stored in Azure Key Vault in .NET Core 2?

问题描述

我已经用C#编写了一个ASP.NET Core 2.0网站，并且启用了Facebook身份验证，因此它需要HTTPS.我正在使用本机Kestrel Web服务器托管该站点，并设置了一个侦听器，以根据MS文档获取PFX证书.从Key Vault召回后，我似乎找不到让Kestrel识别私钥的方法.我知道它存在，因为我编写了两个调试语句来表明它确实存在.

I've written an ASP.NET Core 2.0 website in C# and have Facebook authentication enabled, so it requires HTTPS. I'm using the native Kestrel web server to host the site and have a listener set to take the PFX certificate per MS' documentation. I can't seem to find a way for Kestrel to recognize the private key after recall from Key Vault. I know it's present, as I wrote two debug statements that indicate it is, in fact present.

这是我用来检索机密的函数，可以正常工作.

This is the function that I'm using to retrieve the secret, which is working.

        public static async Task<X509Certificate2> GetKeyVaultCert()
    {
        X509Certificate2 pfx;

        try
        {
            var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));
            var secret = await kvClient
                .GetSecretAsync("https://macscampvault.vault.azure.net/secrets/letsencrypt").ConfigureAwait(false);

            byte[] bytes;
            if(secret.ContentType == "application/x-pkcs12")
                bytes = Convert.FromBase64String(secret.Value);
            else
            {
                bytes = new byte[0];
                Console.WriteLine("secret is not PFX!!");
                throw new ArgumentException("This is not a PFX string!!");
            }
            var password = new SecureString();

            var coll = new X509Certificate2Collection();
            coll.Import(bytes, null, X509KeyStorageFlags.Exportable);
            pfx = coll[0];
// File output added in case I end up needing to write cert to container
//          File.WriteAllBytes(Directory.GetCurrentDirectory().ToString() + "/Macs.pfx", bytes);
            Console.WriteLine(pfx.HasPrivateKey);
            Console.WriteLine(pfx.GetRSAPrivateKey());

        }
        catch (Exception ex)
        {
            Console.WriteLine($"There was a problem during the key vault operation\n{ex.Message}");
            throw;
        }

        return pfx;
    }

分配调用pfx = coll[0];之后的调试语句告诉我该私钥存在，但是当我尝试使用lynx https://localhost连接到网站时，收到以下异常: System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.

The debug statements after the assignment call pfx = coll[0]; tell me that this private key exists, but when I try to connect to the website using lynx https://localhost I receive the following exception: System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.

那么，如何使用私钥?这是有关文件的要点.

So, how do I use the private key? Here's a gist to the file in question.

I already was helped by How to serialize and deserialize a PFX certificate in Azure Key Vault? but after following it, I got to this state.

推荐答案

要点如下:

var keyVaultCert = GetKeyVaultCert().Result ??
    throw new ArgumentNullException("GetKeyVaultCert().Result");
pfx = new X509Certificate2(keyVaultCert.RawData);

第二行删除了私钥，因为RawData属性仅返回DER编码的X.509对象.

The second line there removes the private key, because the RawData property just returns the DER encoded X.509 object.

keyVaultCert已经是具有私钥的X509Certificate2，您可能只想使用它.

keyVaultCert is already an X509Certificate2 with a private key, you probably want to just use it.

pfx = GetKeyVaultCert().Result ?? throw etc;

这篇关于如何使用.NET Core 2中存储在Azure Key Vault中的PFX证书中的私钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！