与X509Store导入证书时无法使用netsh绑定证书 [英] Can't bind cert using netsh when importing it with X509Store

问题描述

我用以下代码生成了证书：

Well i have generated a certificate with the following code:

public X509Certificate2 GenerateSelfSignedCertificate(string friendlyName, string subjectName, int keyStrength = 2048, int validNumberOfMonths = 3)
{
    // Generating Random Numbers
    var randomGenerator = new CryptoApiRandomGenerator();
    var random = new SecureRandom(randomGenerator);

    // The Certificate Generator
    var certificateGenerator = new X509V3CertificateGenerator();

    // Serial Number
    var serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
    certificateGenerator.SetSerialNumber(serialNumber);

    // Signature Algorithm
    const string signatureAlgorithm = "SHA256WithRSA";

    // Issuer and Subject Name
    var subjectDN = new X509Name("CN=" + subjectName);
    var issuerDN = subjectDN;
    certificateGenerator.SetIssuerDN(issuerDN);
    certificateGenerator.SetSubjectDN(subjectDN);

    // Valid For
    var notBefore = DateTime.UtcNow.Date;
    var notAfter = notBefore.AddMonths(validNumberOfMonths);

    //Subject name
    var subjectAltName = new GeneralNames(new GeneralName(GeneralName.DnsName, subjectName));
    certificateGenerator.AddExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);

    certificateGenerator.SetNotBefore(notBefore);
    certificateGenerator.SetNotAfter(notAfter);

    // Subject Public Key
    AsymmetricCipherKeyPair subjectKeyPair;
    var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
    var keyPairGenerator = new RsaKeyPairGenerator();
    keyPairGenerator.Init(keyGenerationParameters);
    subjectKeyPair = keyPairGenerator.GenerateKeyPair();

    certificateGenerator.SetPublicKey(subjectKeyPair.Public);

    // Generating the Certificate
    var issuerKeyPair = subjectKeyPair;

    // selfsign certificate
    var certificate = certificateGenerator.Generate(new Asn1SignatureFactory(signatureAlgorithm, issuerKeyPair.Private, random));

    // corresponding private key
    PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);

    // merge into X509Certificate2
    var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());

    var seq = (Asn1Sequence)Asn1Object.FromByteArray(info.ParsePrivateKey().GetDerEncoded());
    if (seq.Count != 9)
        throw new PemException("malformed sequence in RSA private key");

    var rsa = RsaPrivateKeyStructure.GetInstance(seq);
    RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
        rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);

    x509.PrivateKey = DotNetUtilities.ToRSA(rsaparams);
    x509.FriendlyName = friendlyName;
    return x509;
}

然后我使用以下代码将证书添加到Windows证书存储中：

Then i add the certificate to the windows certificate store with the following code:

using (X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
    store.Open(OpenFlags.ReadWrite);
    store.Add(certificate);
}

然后我运行以下命令： netsh http add sslcert ipport = 0.0.0.0:8080 certhash = e3336856798d283c3de7b8984734056b488dfd16 appid = {6e10503e-986e-4b6a-8384-743bb330769c}

Then i run the following command: netsh http add sslcert ipport="0.0.0.0:8080" certhash="e3336856798d283c3de7b8984734056b488dfd16" appid="{6e10503e-986e-4b6a-8384-743bb330769c}"

并且我得到以下错误：

SSL证书添加失败，错误：1312指定的登录会话不存在
。

SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.

现在，如果我将证书导出为 .PFX ，将其删除并使用证书管理器再次导入，然后再次运行上面的命令，即可正常工作。

Now if i export the certificate as .PFX, delete it and import it again using certificate manager and run the command above again it works.

这是什么问题？

我什至试图加载使用以下代码导出的证书，但是随后出现相同的错误，所以我猜是这是有问题的 X509Store ？

I even tried to load the cert i exported with the following code but then i get the same error, so my guess is that something is wrong with X509Store?

var certs = new X509Certificate2Collection();
certs.Import(@"C:\temp\localhost.pfx", "qwerty", X509KeyStorageFlags.Exportable);
var cert = certs[0];

using (X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
    store.Open(OpenFlags.ReadWrite);
    store.Add(cert);
}

推荐答案

我遇到了同样的问题。使用Import-PfxCertificate commadlet导入证书可以解决此问题。
，但是Import-PfxCertificate不支持使用别名导入证书（如果在同一pfx中捆绑了多个证书，并且您要导入一个证书）。

I faced the same issue. Importing the certificates using Import-PfxCertificate commadlet solves the issue. But Import-PfxCertificate doesnt support importing certificates using alias name (in case multiple certificates are bundled in the same pfx and you want to import one).

这篇关于与X509Store导入证书时无法使用netsh绑定证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！