如何给ASP.NET访问证书存储在证书中的私有密钥? [英] How to give ASP.NET access to a private key in a certificate in the certificate store?
问题描述
我有一个访问证书存储中的证书的私钥ASP.NET应用程序。在Windows Server 2003,我能够使用winhttpcertcfg.exe给予网络服务帐户的私有密钥访问。我如何授予权限的证书存储区(本地计算机\\个人)在Windows Server 2008 R2在IIS 7.5的网站?上的证书在访问私钥
我试图让所有人,IIS程序池\\默认应用,IIS_IUSRS完全信任的访问,并everyother安全帐户,我能找到使用证书MMC(Server 2008 R2中)。然而,下面code证明了code没有访问该是用私有密钥导入证书的私钥。在code,而不是抛出和错误每次私钥属性进行访问。
Default.aspx的
<%@页面语言=C#AutoEventWireup =真codeFILE =Default.aspx.cs继承=_默认%GT;
<%@导入命名空间=System.Security.Cryptography.X509Certificates%GT;
!< DOCTYPE HTML PUBLIC - // W3C // DTD XHTML 1.0过渡// ENhttp://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">
< HTML的xmlns =http://www.w3.org/1999/xhtml>
<头=服务器>
<标题>< /标题>
< /头>
<身体GT;
<表ID =form1的=服务器>
< DIV>
< ASP:直放站ID =repeater1=服务器>
<&HeaderTemplate中GT;
<表>
&所述; TR>
&所述; TD>
证书
< / TD>
&所述; TD>
公钥
< / TD>
&所述; TD>
私钥
< / TD>
< / TR>
< / HeaderTemplate中>
<&ItemTemplate中GT;
&所述; TR>
&所述; TD>
<%#((X509Certificate2)的Container.DataItem).GetNameInfo(X509NameType.SimpleName,FALSE)%GT;
< / TD>
&所述; TD>
<%#((X509Certificate2)的Container.DataItem).HasPublicKeyAccess()%GT;
< / TD>
&所述; TD>
<%#((X509Certificate2)的Container.DataItem).HasPrivateKeyAccess()%GT;
< / TD>
< / TR>
< / ItemTemplate中>
< FooterTemplate>
< /表>< / FooterTemplate>
< / ASP:直放站>
< / DIV>
< /表及GT;
< /身体GT;
< / HTML>
Default.aspx.cs
使用系统;
使用System.Security.Cryptography;
使用System.Security.Cryptography.X509Certificates;
使用System.Web.UI程序;
公共部分类_Default:页
{
公共X509Certificate2Collection证书;
保护无效的Page_Load(对象发件人,EventArgs的发送)
{
//本地计算机\\个人
VAR店=新的X509Store(StoreLocation.LocalMachine);
//创建和打开商店只读访问
store.Open(OpenFlags.ReadOnly);
证书= store.Certificates;
repeater1.DataSource =证书;
repeater1.DataBind();
}
}
公共静态类扩展
{
公共静态字符串HasPublicKeyAccess(此X509Certificate2证书)
{
尝试
{
AsymmetricAlgorithm算法= cert.PublicKey.Key;
}
赶上(异常前)
{
返回否;
}
返回是;
}
公共静态字符串HasPrivateKeyAccess(此X509Certificate2证书)
{
尝试
{
字符串变换算法= cert.PrivateKey.KeyExchangeAlgorithm;
}
赶上(异常前)
{
返回否;
}
返回是;
}
}
- 创建/购买证书。请确保它有一个私钥。
- 证书导入本地计算机帐户。最好使用证书MMC。 确保选中允许私钥可以导出
-
根据赖以,IIS 7.5应用程序池的身份使用下列之一。
- IIS 7.5网站在ApplicationPoolIdentity下运行。打开MMC =>添加证书(本地计算机)管理单元=>证书(本地计算机)=>个人=>证书=>右键点击感兴趣的证书=>所有任务=>管理的私有密钥=>添加
IIS程序池\\ AppPoolName,并授予它完全控制。替换的 AppPoolName 的与您的应用程序池的名称(有时IIS_IUSRS) - IIS 7.5网站获得网络服务运行。使用证书MMC,添加网络服务,以完全信任在本地计算机\\个人证书。
- IIS 7.5网站获得MyIISUser本地计算机用户帐户下运行。使用证书MMC,添加了MyIISUser(新的本地计算机用户帐户),以完全信任在本地计算机\\个人证书。
- IIS 7.5网站在ApplicationPoolIdentity下运行。打开MMC =>添加证书(本地计算机)管理单元=>证书(本地计算机)=>个人=>证书=>右键点击感兴趣的证书=>所有任务=>管理的私有密钥=>添加
I have an ASP.NET application that accesses private key in a certificate in the certificates store. On Windows Server 2003 I was able to use winhttpcertcfg.exe to give private key access to the NETWORK SERVICE account. How do I give permissions to access a Private Key in a certificate in the certificate store (Local Computer\Personal) on a Windows Server 2008 R2 in an IIS 7.5 website?
I've tried giving Full Trust access to "Everyone", "IIS AppPool\DefaultAppPool", "IIS_IUSRS", and everyother security account I could find using the Certificates MMC (Server 2008 R2). However the below code demonstrates that the code does not have access to the Private Key of a certificate that was imported with the private key. The code instead throws and error everytime the private key property is accessed.
Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>
<%@ Import Namespace="System.Security.Cryptography.X509Certificates" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Repeater ID="repeater1" runat="server">
<HeaderTemplate>
<table>
<tr>
<td>
Cert
</td>
<td>
Public Key
</td>
<td>
Private Key
</td>
</tr>
</HeaderTemplate>
<ItemTemplate>
<tr>
<td>
<%#((X509Certificate2)Container.DataItem).GetNameInfo(X509NameType.SimpleName, false) %>
</td>
<td>
<%#((X509Certificate2)Container.DataItem).HasPublicKeyAccess() %>
</td>
<td>
<%#((X509Certificate2)Container.DataItem).HasPrivateKeyAccess() %>
</td>
</tr>
</ItemTemplate>
<FooterTemplate>
</table></FooterTemplate>
</asp:Repeater>
</div>
</form>
</body>
</html>
Default.aspx.cs
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Web.UI;
public partial class _Default : Page
{
public X509Certificate2Collection Certificates;
protected void Page_Load(object sender, EventArgs e)
{
// Local Computer\Personal
var store = new X509Store(StoreLocation.LocalMachine);
// create and open store for read-only access
store.Open(OpenFlags.ReadOnly);
Certificates = store.Certificates;
repeater1.DataSource = Certificates;
repeater1.DataBind();
}
}
public static class Extensions
{
public static string HasPublicKeyAccess(this X509Certificate2 cert)
{
try
{
AsymmetricAlgorithm algorithm = cert.PublicKey.Key;
}
catch (Exception ex)
{
return "No";
}
return "Yes";
}
public static string HasPrivateKeyAccess(this X509Certificate2 cert)
{
try
{
string algorithm = cert.PrivateKey.KeyExchangeAlgorithm;
}
catch (Exception ex)
{
return "No";
}
return "Yes";
}
}
- Create / Purchase certificate. Make sure it has a private key.
- Import the certificate into the "Local Computer" account. Best to use Certificates MMC. Make sure to check "Allow private key to be exported"
Based upon which, IIS 7.5 Application Pool's identity use one of the following.
- IIS 7.5 Website is running under ApplicationPoolIdentity. Open MMC => Add Certificates (Local computer) snap-in => Certificates (Local Computer) => Personal => Certificates => Right click the certificate of interest => All tasks => Manage private key => Add
IIS AppPool\AppPoolNameand grant itFull control. Replace "AppPoolName" with the name of your application pool (sometimesIIS_IUSRS) - IIS 7.5 Website is running under NETWORK SERVICE. Using Certificates MMC, added "NETWORK SERVICE" to Full Trust on certificate in "Local Computer\Personal".
- IIS 7.5 Website is running under "MyIISUser" local computer user account. Using Certificates MMC, added "MyIISUser" (a new local computer user account) to Full Trust on certificate in "Local Computer\Personal".
- IIS 7.5 Website is running under ApplicationPoolIdentity. Open MMC => Add Certificates (Local computer) snap-in => Certificates (Local Computer) => Personal => Certificates => Right click the certificate of interest => All tasks => Manage private key => Add
这篇关于如何给ASP.NET访问证书存储在证书中的私有密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
