私钥引发了System.Security.Cryptography.CryptographicException类型的异常 [英] PrivateKey threw an exception of type System.Security.Cryptography.CryptographicException

问题描述

我正在尝试使用以下代码使用自签名证书：

I'm trying to use self-signed certificate using the following code:

X509Certificate2 cert = ToCertificate("CN=localhost");


public static X509Certificate2 ToCertificate(this string subjectName,
                                                StoreName name = StoreName.My,
                                                StoreLocation location = StoreLocation.LocalMachine
                                                )
    {
        X509Store store = new X509Store(name, location);

        store.Open(OpenFlags.ReadOnly);

        try
        {
            var cert = store.Certificates.OfType<X509Certificate2>().FirstOrDefault(c => c.Subject.Equals(subjectName, StringComparison.OrdinalIgnoreCase));

            return cert != null ? new X509Certificate2(cert) : null;
        }
        catch (Exception)
        {

            throw;
        }
        finally
        {
            store.Certificates.OfType<X509Certificate2>().ToList().ForEach(c => c.Reset());
            store.Close();
        }
    }

我遇到以下异常：

PrivateKey = 'cert.PrivateKey' threw an exception of type 'System.Security.Cryptography.CryptographicException'

我尝试了此修补程序和此修复程序

但是仍然存在问题！

推荐答案

davidchristiansen说：

davidchristiansen Said:

什么是CNG密钥？ Windows中的
证书是使用存储提供程序存储的。 Windows有两个不兼容的提供程序。简而言之，旧样式为加密服务提供商或CSP，而新样式为加密API：下一代或CNG。自Windows Vista以来，CNG提供程序就存在了，尽管它更安全，更易于使用，但许多软件仍然与CNG提供程序不兼容。这似乎还包括.NET Framework。

What is a CNG Key? Certificates in Windows are stored using Storage Providers. Windows has two of these providers, that are not compatible. The old style "Cryptographic Service Providers" or CSP in short and the new style "Cryptography API: Next Generation" or CNG. The CNG providers have been around since Windows Vista, and although it is more secure and easier to use many facets of software are still not compatible with CNG providers. This appears to also include the .NET Framework.

可能的解决方法是直接使用CryptoAPI / CNG API处理CNG密钥。但是，如果我们需要一个更简单，更纯净的.NET解决方案来理解CNG，则需要找到另一个解决方案（详细信息！）。

A possible workaround to this may be to use CryptoAPI/CNG API directly to deal with CNG keys. But if we want an easier and pure .NET solution which understands CNG, we need to find another solution (details to follow!).

我按照以下文章进行了转换，以将我的证书密钥从CNG转换为RSA。

I followed the following post to convert to convert my certificate key from CNG to RSA. It works!

http：/ /blog.davidchristiansen.com/2016/05/521/

来自博客的步骤：

1. 从PFX
   文件中提取公钥和完整证书链


2. 提取CNG私钥


3. 将私钥转换为RSA格式


4. 将具有RSA私钥的公钥合并到新的PFX文件中

1. Extract your public key and full certificate chain from your PFX file
2. Extract the CNG private key
3. Convert the private key to RSA format
4. Merge public keys with RSA private key to a new PFX file

将应用程序更改为使用刚创建的新PFX后，
应该会发现您的问题已解决。

After changing your application to use the new PFX you just created, you should find that your issues have been resolved.

现在让我们看看如何使用OpenSSL执行这些步骤（从此处获取适用于Windows的OpenSSL
）

Now let’s see how to carry out these steps using OpenSSL (Get OpenSSL for Windows from here)

1. 提取您的PFX文件中的公钥和完整证书链

OpenSSL pkcs12 -in yourcertificate.pfx -nokeys -out
您的证书e.cer -passin pass：myreallystrongpassword

OpenSSL pkcs12 -in "yourcertificate.pfx" -nokeys -out "yourcertificate.cer" -passin "pass:myreallystrongpassword"

1. 提取CNG私钥

OpenSSL pkcs12 -in yourcertificate.pfx -nocerts –out
yourcertificate.pem -passin pass：myreallystrongpassword -passout
pass：myreallystrongpassword

OpenSSL pkcs12 -in "yourcertificate.pfx" -nocerts –out "yourcertificate.pem" -passin "pass:myreallystrongpassword" -passout "pass:myreallystrongpassword"

1. 将私钥转换为RSA格式

OpenSSL rsa -inform PEM -in yourcertificate.pem -out
yourcertificate.rsa -passin pass：myreallystrongpassword -passout
pass：myreallystrongpassword

OpenSSL rsa -inform PEM -in "yourcertificate.pem" -out "yourcertificate.rsa" -passin "pass:myreallystrongpassword" -passout "pass:myreallystrongpassword"

1. 将具有RSA私钥的公钥合并到新的PFX文件中

OpenSSL pkcs12 -export -in yourcertificate.cer -inkey
yourcertificate.rsa -out yourcertificate-converted.pfx -passin
pass：myreallystrongpassword -passout pass：myreallystrongpassword

OpenSSL pkcs12 -export -in "yourcertificate.cer" -inkey "yourcertificate.rsa" -out "yourcertificate-converted.pfx" -passin "pass:myreallystrongpassword" -passout "pass:myreallystrongpassword"

这篇关于私钥引发了System.Security.Cryptography.CryptographicException类型的异常的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！