以编程方式导入带有私钥的证书 [英] Import certificate with private key programmatically

问题描述

我正在尝试在 C# 应用程序中使用 HttpListener 类来让小型网络服务器通过 SSL 提供内容.为了做到这一点，我需要使用 httpcfg 工具.我有一个包含公钥和私钥对的 .pfx 文件.如果我使用 mmc 手动将此密钥对导入本地机器存储，则一切正常.但是，如果我使用 X509Store 类以编程方式导入此密钥对，则无法连接到我的迷你网络服务器.请注意，在这两种方法中，证书都被导入到 LocalMachine 中的 MY 商店.奇怪的是，一旦我以编程方式导入证书，我就可以在 mmc 中查看它，当我查看它时，UI 指示此证书也有一个私钥.

I'm trying to use the HttpListener class in a C# application to have a mini webserver serve content over SSL. In order to do this I need to use the httpcfg tool. I have a .pfx file with my public and private key pair. If I import this key pair manually using mmc into the local machine store, everything works fine. However, if I import this key pair programmatically using the X509Store class, I am not able to connect to my mini webserver. Note that in both methods the cert is getting imported to the MY store in LocalMachine. Oddly, I am able to view the certificate in mmc once I programmatically import it and when I view it, the UI indicates that a private key is also available for this certificate.

深入一点，我注意到当我手动导入密钥对时，我可以看到一个新文件出现在 C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys，但是当我以编程方式导入时没有出现.在相关说明中，当我删除手动导入的证书时，它不会从前面提到的目录中删除相应的私钥文件.

Digging a little deeper, I notice that when I manually import the key pair, I can see a new file appear in C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys, but one does not appear when I import programmatically. On a related note, when I delete a manually imported certificate, it does not remove the corresponding private key file from the previously mentioned directory.

最终，我的问题是:当我以编程方式将证书添加到商店时，私钥存储在哪里，为什么 HttpListener 类 (HttpApi) 不能访问它?

Ultimately, my question is this: When I programmatically add the certificate to the store, where is the private key being stored and why isn't it accessible to the HttpListener class (HttpApi)?

请注意，这个问题略有相关，但我不认为许可是问题，因为这一切都是作为同一个 Windows 用户完成的:如何设置.NET X.509证书私钥文件的读取权限

Note that this question is slightly related but I don't think permissioning is the problem since this is all being done as the same Windows user: How to set read permission on the private key file of X.509 certificate from .NET

推荐答案

好的，我想通了.它与证书对象的密钥存储参数有关.对于遇到此问题的任何其他人，请确保您使用 X509KeyStorageFlags.PersistKeySet 和 X509KeyStorageFlags.MachineKeySet<构造要添加到商店的 X509Certificate2 对象/code> 标志.这将强制私钥保留在 HttpApi 所需的机器密钥集位置(HttpListener 包装了这个).

Ok, I figured it out. It had to do with the key storage parameters for the certificate object. For anyone else that runs into this problem, make sure you construct your X509Certificate2 objects that you are adding to the store using the X509KeyStorageFlags.PersistKeySet and X509KeyStorageFlags.MachineKeySet flags. This will force the private key to persist in the machine key set location which is required by HttpApi (HttpListener wraps this).

这篇关于以编程方式导入带有私钥的证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！