证书私钥在IIS Web服务器下引发CryptographicException [英] Certificate private key throws CryptographicException under IIS Web Server
问题描述
在我的ASP.NET应用程序中,我正在从证书存储中加载证书:
In my ASP.NET application I'm loading a certificate from the certificate store:
var myCert = CertificateUtils.GetCertificate("thumbprint");
此证书包含用于解密加密的应用程序设置的密钥对.
This certificate contains a key pair which is used to decrypt the encrypted application settings.
该证书安装在本地计算机下的个人证书存储中.当应用程序在 IIS Express 下运行时,它可以很好地工作.但是,如果我在 full IIS Web Server 下执行它,则myCert实例将缺少私钥.
The certificate is installed in Personal certificate store under the Local Computer. It works well when the application is running under the IIS Express. But if I execute it under the full IIS Web Server, the myCert instance is missing the private key.
myCert对象的PrivateKey字段包含一个例外:
The PrivateKey field of myCert object contains an exception:
'myCert.PrivateKey' threw an exception of type 'System.Security.Cryptography.CryptographicException'
我检查了myCert对象的其他字段是否包含相同的值(例如,证书序列号,指纹或有效期),因此看来在两个 IIS 下都获得了相同的证书和 IIS Express .对于完整的 IIS ,仅缺少私钥.
I have checked that other fields of myCert object contain same values (like, for example, certificate serial number, thumbprint or expiration), so it seems it's getting the same certificate under both IIS and IIS Express. Only the private key is missing in the case of full IIS.
我唯一更改的是项目属性(使用IIE Express"/使用IIS Web服务器")中的 Local Development Server .在两种情况下,它都在 Azure Emulator Express 中运行.
The only thing I have changed was the Local Development Server in project's properties ("Use IIE Express" / "Use IIS Web Server"). It's running inside the Azure Emulator Express in both cases.
有人知道吗,为什么会这样?
Does anyone have an idea, why is this happenning?
推荐答案
在IIS Express上运行,该程序使用您的凭据访问证书,而在IIS上,则使用池标识的凭据.您可以轻松地检查证书ACL,以查看允许或不允许的人.
Running on IIS Express, the program uses your credentials to access the certificate, while on IIS the pool identity's credentials are used. You can easily check the certificate ACL to see who is allowed or not.
请按照以下步骤操作:
-
检查您的网站使用的应用程序池
打开 Internet信息服务管理器,在左侧的连接树中选择站点.在中间面板中选择您的站点,然后单击右侧面板上操作下的基本设置.
Open Internet Information Services Manager, select Sites in the Connections tree on the left. Select your site in the middle panel and click Basic settings under Actions on the right panel.
检查应用程序池使用的身份
在左侧的 Connections 树中选择 Application Pools ,然后在中间面板中找到标识.可能是网络服务".
Select Application Pools in the Connections tree on the left and find the identity in the middle panel. It'll be probably "NETWORK SERVICE".
将应用程序池所使用身份的读取权限添加到您的证书中
打开 Microsoft管理控制台(mmc),为本地计算机帐户添加证书管理单元,并在个人证书.打开其上下文菜单,所有任务和管理私钥... .单击添加.,输入身份(网络服务"),然后单击检查名称和确定.在 权限下,仅允许 Read 权限.
Open the Microsoft Management Console (mmc), add the Certificates snap-in for local Computer account and find your certificate under Personal certificates. Open its context menu, All Tasks and Manage Private Keys.... Click Add.., enter the identity ("NETWORK SERVICE") and click Check Names and OK. Under Permissions for allow only the Read permission.
You can read details in this question: How to give ASP.NET access to a private key in a certificate in the certificate store?
这篇关于证书私钥在IIS Web服务器下引发CryptographicException的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
