战斗与证书:没有成功的私有密钥获得访问 [英] Fighting with certificates: Access was not successfully obtained for the private key
问题描述
我的工作在公司中与众多服务器和个人电脑的开发。服务器是WIN2003,PC开发人员的Windows XP。
I work in company with many servers and Pcs for developers. Servers are win2003, PC developers Windows XP.
在服务器Win2003的名为preiis01,在preproduction环境,其他人在公司中安装使用任何其它用户(未知用户对我来说)的登录服务器preiis01客户端证书。
In a server Win2003 named preiis01, in preproduction environment, other people in company install a client certificate using any other user (unknown user for me) for logging in server preiis01.
我在服务器preiis01(使用终端服务器,远程桌面适用于Windows XP)。用我的用户domainCompany \ myuser的日志
I use my user "domainCompany\myuser" for log in server preiis01 (using Terminal Server, Remote Desktop for Windows XP).
在preiis01,
我执行MMC - >对齐研究。在节点 - >个人 - >证书,我已经看到了客户端证书:
I execute mmc -> Snap in -> Certificates for Local Machine. In node -> Personal -> Certificates, I have seen the client certificate:
颁发对象 ENTIDAD公司INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1
Issued To ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1
发放机构 FNMT化酶2 CA
Issued By FNMT Clase 2 CA
在证书的属性,我所看到的指纹:93公元前A4广告58 C9 3C AF 8B EB 0B 2F 86 C7 9D 81 70 A6 C4 13
In properties of certificate, I have seen thumbprint: "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13"
现在,我执行这个命令:
Now, I execute this commands:
1)FindPrivateKey我LOCALMACHINE -nCN = ENTIDAD公司INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1-a
1.) FindPrivateKey My LocalMachine -n "CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" -a
和我得到这个错误:
FindPrivateKey失败,原因如下: 与主要CN = ENTIDAD公司无法证明INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1 在店内的发现。的
FindPrivateKey failed for the following reason: No certificates with key 'CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1 ' found in the store.
2。)FindPrivateKey我LOCALMACHINE -t93公元前A4广告58 C9 3C AF 8B EB 0B 2F 86 C7 9D 81 70 A6 C4 13-c
2.) FindPrivateKey My LocalMachine -t "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13" –c
和我得到这样的:
* FindPrivateKey帮助用户找到一个X.50的私钥文件的位置 9证书。
*FindPrivateKey helps user to find the location of the Private Key file of a X.50 9 Certificate.
用法:FindPrivateKey [{{-n} | {-t}} [-f | -d | -a]
Usage: FindPrivateKey [{ {-n } | {-t } } [-f | -d | -a]]
<subjectName> subject name of the certificate
<thumbprint> thumbprint of the certificate (use certmgr.exe to get it)
-f output file name only
-d output directory only
-a output absolute file name
例如。 FindPrivateKey我的currentUser -nCN =李四
e.g. FindPrivateKey My CurrentUser -n "CN=John Doe"
例如。 FindPrivateKey我LOCALMACHINE -t03 33 98 63 D0 47 E7 48 71 33 62 64 76 5 Ç4C 9D 42 1D 6B 52-c *
e.g. FindPrivateKey My LocalMachine -t "03 33 98 63 d0 47 e7 48 71 33 62 64 76 5 c 4c 9d 42 1d 6b 52" -c*
3)winhttpcertcfg.exe -l -c LOCAL_MACHINE \我-sENTIDAD公司INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1。
3.) winhttpcertcfg.exe -l -c LOCAL_MACHINE\My -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1"
和我得到这个错误:
微软(R)WinHTTP的证书 配置工具版权所有(C) 微软公司2001年匹配 证书:
Microsoft (R) WinHTTP Certificate Configuration Tool Copyright (C) Microsoft Corporation 2001. Matching certificate:
CN = ENTIDAD公司INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1
CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1
OU = 700012436
OU=700012436
OU = FNMT化酶2 CA
OU=FNMT Clase 2 CA
O = FNMT
C = ES
错误:
访问没有成功获取私钥。这只能通过谁安装了证书的用户来完成。
Access was not successfully obtained for the private key. This can only be done by the user who installed the certificate.
访问没有成功获取私钥。
任何建议?
更新时间:由马塞尔·罗姆(社会MSDN论坛)
Updated: by Marcel Roma (social msdn forums)
最有可能的证书已安装的其他人在你的公司(如管理员)。只有该人有权访问证书的私钥。下载FindPrivateKey工具,让管理员来执行它,找出私钥文件保存的目录,并让他设置必要的权利,这样的过程可以访问该文件。
Most likely the certificate was installed by some other person in your company (e.g. administrator). Only that person has access to the private key of the certificate. Download the FindPrivateKey tool, ask the administrator to execute it to find out the directory where the private key file was saved, and let him set the needed rights so that the process can access the file.
也有关于Windows XP的一些报告未能提取该文件的私钥由于编码问题:
There are also some reports about Windows XP failing to extract the private key from the file due to encoding issues:
<一个href="http://blogs.msdn.com/b/alejacma/archive/2010/01/11/winhttpcertcfg-tool-cannot-access-private-key-of-a-certificate.aspx" rel="nofollow">http://blogs.msdn.com/b/alejacma/archive/2010/01/11/winhttpcertcfg-tool-cannot-access-private-key-of-a-certificate.aspx
更新:
用户域domainCompany \ pre_Certificado中存储本地计算机上安装证书。
User in domain "domainCompany\Pre_Certificado" install Certificate in Store Local Machine.
domainCompany \ pre_Certificado是管理员,在IIS_WPG组,有本地策略:作为服务登录
domainCompany\Pre_Certificado is Administrator, in IIS_WPG group, has Local Policies: "Log on as Service"
我配置的应用程序池标识在IIS 6.0:domainCompany \ pre_Certificado
I configure AppPool Identity in IIS 6.0 for : domainCompany\Pre_Certificado
ASP.NET应用程序中使用的身份执行:: domainCompany \ pre_Certificado
ASP.NET application executes using the identity :: domainCompany\Pre_Certificado
我回收程序池和执行应用程序时,我得到System.Security.Cryptography.CryptographicException:找不到证书和私钥用于解密
I recycle AppPool and execute application, I get System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption
如果我再次测试,请登录会话服务器IIS,使用domainCompany \ pre_Certificado用户,我在ASP.NET应用程序中调用页面,一切正常。
If I test again, log in session in server IIS, using domainCompany\Pre_Certificado user, I call page in ASP.NET application and all is OK.
(注:登录服务器IIS使用终端服务器)
(note: log in server IIS using Terminal Server)
但是,如果服务器IIS注销会话(用户:domainCompany \ pre_Certificado),我得到了同样的错误:
But if log off session in server IIS (user: domainCompany\Pre_Certificado), I get the same error:
System.Security.Cryptography.CryptographicException:找不到证书和私钥用于解密
System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption
任何建议?
推荐答案
身份登录安装了该证书(或本地管理员)的用户。启动FindPrivateKey工具。转到安全窗格,添加自己的用户列表。现在,您可以登录在为自己和控制证书的私钥。
Log in as the user that installed the certificate (or a local administrator). Launch the FindPrivateKey tool. Go to security pane and add your own user to the list. You can now login in as yourself and control the certificate's private key.
这篇关于战斗与证书:没有成功的私有密钥获得访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
