如何在C ++中的Windows信任存储中向证书添加私钥? [英] How can I add a private key to a certificate in the windows trust store in c++?
问题描述
我有一个带有证书的文件,并且我有一个带有私钥文件的文件.
I have a file with a certificate in it, and I have a file with a private key file in it.
如果我运行此命令
certutil –MergePFX certfile.cer certfile.pfx
certutil –MergePFX certfile.cer certfile.pfx
我得到一个pfx文件,如果使用资源管理器运行该文件,它将运行Windows证书导入向导.如果我通过向导运行,则最终得到带有Windows信任库中密钥的证书.正是我所需要的.
I get a pfx file that if I run with explorer, it runs the windows certificate import wizard. If I run through the wizard, I end up with the cert with the key in the windows trust store. Exactly what I need.
我正在尝试以编程方式执行此操作.
I'm trying to do this programatically.
问题似乎出在CertAddCertificateContextToStore函数中.在备注中说:
The problem seems to be in the CertAddCertificateContextToStore function. In the remarks it says:
不使用CertDuplicateCertificateContext复制证书上下文.而是,该函数创建上下文的新副本并将其添加到存储中.除了编码证书,CertDuplicateCertificateContext还复制上下文的属性,但CERT_KEY_PROV_HANDLE_PROP_ID和CERT_KEY_CONTEXT_PROP_ID属性除外.
The certificate context is not duplicated using CertDuplicateCertificateContext. Instead, the function creates a new copy of the context and adds it to the store. In addition to the encoded certificate, CertDuplicateCertificateContext also copies the context's properties, with the exception of the CERT_KEY_PROV_HANDLE_PROP_ID and CERT_KEY_CONTEXT_PROP_ID properties.
因此certduplicatecertificatecontext非常不会复制私钥,而且CertAddCertificateContextToStore也不会复制私钥.
So certduplicatecertificatecontext very specifically will not copy the private key, and it seems that CertAddCertificateContextToStore doesn't either.
我有一个带有我的私钥的HCRYPTPROV结构,并且我使用CERT_KEY_CONTEXT_PROP_ID和CERT_KEY_PROV_HANDLE_PROP_ID(我都尝试了它们)到我的证书上下文CertSetCertificateContextProperty,然后使用CertAddCertificateContextToStore将其存储在Windows信任库中.而且无论我尝试什么,证书都将不带私钥进入.
I have a HCRYPTPROV struct with my private key and I use CERT_KEY_CONTEXT_PROP_ID and CERT_KEY_PROV_HANDLE_PROP_ID (I tried them both) to CertSetCertificateContextProperty my certificate context, and then I store it in the windows trust store with CertAddCertificateContextToStore. And no matter what I try, the certificate goes in without the private key.
我正在使用certmgr工具进行验证,该工具显示是否附加了私钥,当我在正在执行的curl请求中使用该客户端证书时,我还可以看到它不起作用.
I'm verifying this with the certmgr tool that shows if a private key is attached, and I can also see it not work when I use that client certificate in a curl request I'm making.
我尝试的另一件事是这样:
Another thing I tried was this:
CertAddCertificateContextToStore的最后一个参数是所制作上下文的副本的句柄.我认为原始上下文是我从磁盘读取证书所在的上下文.该新证书是与certmgr读取的实际磁盘存储绑定的证书.
The last parameter to CertAddCertificateContextToStore is the handle to the copy of the context that is made. I figure the original context is the one I created where I read the certificate in from disk. This new certificate is the one tied to the actual on-disk store that certmgr reads.
因此,在调用CertAddCertificateContextToStore之后,我将获取新的证书,并再次通过CertSetCertificateContextProperty添加私钥,然后为了达到良好的效果,我调用CertControlStore将内存的上下文版本推送到磁盘.仍然没有效果.每个函数调用都会成功,但是私钥永远不会进入Windows信任库.
So after I call CertAddCertificateContextToStore, I take the new cert and I add the private key, again via CertSetCertificateContextProperty, and then for good measure, I call CertControlStore to push the in-memory version of the context to disk. Still no effect. Every function call succeeds, but the private key never makes it to the windows trust store.
因此,简而言之,我的问题是Windows证书导入工具在做什么,我不是允许我将私钥和证书一起存储在Windows信任库中吗?
So in short, my question is what is the windows certificate import tool doing that I am not that will allow me to store a private key along with the certificate in the windows trust store?
我发现了其他一些问题,程序示例和留言板,这些内容可以追溯到2002年,并且没有一个非常明确,没有一个代码示例可以完全满足我的需要,但是我知道我掌握了所有内容,它们只是不产生结果.
I've found a handful of other questions and program examples and message boards dating back to 2002 and none are very explicit, and none of the code examples do exactly what I need, but I know I have all the pieces, they just don't yield the result.
推荐答案
我坚信您设置了错误的属性.您应该仅在 CertSetCertificateContextProperty 调用中设置 CERT_KEY_PROV_INFO_PROP_ID 上下文属性,以将证书与私钥相关联.
I strongly believe that you set incorrect properties. You should set only CERT_KEY_PROV_INFO_PROP_ID context property in the CertSetCertificateContextProperty call to associate certificate with private key.
如果您具有HCRYPTPROV句柄,则您具有构造 CRYPT_KEY_PROV_INFO 结构的所有必要信息.
If you have a HCRYPTPROV handle, then you have all necessary information to construct CRYPT_KEY_PROV_INFO structure.
这篇关于如何在C ++中的Windows信任存储中向证书添加私钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
