证书:无法找到用于解密的证书和私钥签名时出错 [英] Certificates: Cannot find the certificate and private key for decryption Error when sign

问题描述

我在公司工作，为开发人员提供许多服务器和个人电脑.服务器是win2003，PC开发者Windows XP.

I work in company with many servers and Pcs for developers. Servers are win2003, PC developers Windows XP.

在名为 preiis01 的服务器 Win2003 中，在预生产环境中，公司其他人使用任何其他用户(domainCompanyadminsystems)安装客户端证书，用于登录服务器 preiis01.

In a server Win2003 named preiis01, in preproduction environment, other people in company install a client certificate using any other user (domainCompanyadminsystems) for logging in server preiis01.

任何管理员使用用户domainCompanyadminsystems"登录服务器 preiis01(使用终端服务器，Windows XP 远程桌面).

Anyone admin uses the user "domainCompanyadminsystems" for log in server preiis01 (using Terminal Server, Remote Desktop for Windows XP).

admin 用户是 domainCompanyadminsystems"，安装证书.

the admin user is domainCompanyadminsystems", which installs certificate.

管理员用户像这样安装它:

Admin user install it like this:

会话登录如domainCompanyadminsystems"证书是 PFX 文件.安装 PFX 并使用向导.密钥私有不检查导出.输入密码并安装.

Session login like "domainCompanyadminsystems" Certificate is PFX file. Do Install PFX and using Wizard. The key private not check for export. Input the password and install.

有一个应用程序Web，AppPool Identity是:NETWORK SERVICE account.

There is an application Web which AppPool Identity is: NETWORK SERVICE account.

Web 服务器是 IIS 6.0.

web server is IIS 6.0.

在 preiis01 中，

in preiis01,

该管理员用户执行 mmc -> 管理单元 -> 本地机器的证书.在节点->个人->证书中，他已经看到了客户端证书:

That admin user executes mmc -> Snap in -> Certificates for Local Machine. In node -> Personal -> Certificates, he had seen the client certificate:

签发给 ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

Issued To ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

由 FNMT 第 2 类 CA 颁发

Issued By FNMT Clase 2 CA

在证书属性中，指纹:93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13"

In properties of certificate, the thumbprint: "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13"

那个管理员用户执行这个命令:

That admin user executes this commands:

winhttpcertcfg.exe LOCAL_MACHINEMy -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" -g -a "网络服务"

winhttpcertcfg.exe LOCAL_MACHINEMy -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" -g -a "NETWORK SERVICE"

结果是:

匹配证书:

CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

OU=703015476

OU=703015476

OU=FNMT 第 2 类 CA

OU=FNMT Clase 2 CA

O=FNMT

C=ES

授予私钥访问权限帐号:NT AUTHORITY网络服务

Granting private key access for account: NT AUTHORITYNETWORK SERVICE

现在，管理员用户执行此命令:

Now, admin user executes this command:

winhttpcertcfg.exe -l -c LOCAL_MACHINEMy -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1"

winhttpcertcfg.exe -l -c LOCAL_MACHINEMy -s "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1"

结果是:

匹配证书:

CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1

OU=700012476

OU=700012476

OU=FNMT 第 2 类 CA

OU=FNMT Clase 2 CA

O=FNMT

C=ES

其他帐户和组对私钥的访问包括:域公司管理系统 NT权威系统内置管理员 NT权威网络服务

Additional accounts and groups with access to the private key include: domainCompanyadminsystems NT AUTHORITYSYSTEM BUILTINAdministrators NT AUTHORITYNETWORK SERVICE

现在，在服务器 Win2003、IIS 6.0 的应用程序 Web 的 aspx 页面中，我有以下代码:

NOw, in an aspx page in application web in server Win2003, IIS 6.0, I have this code:

注意:对于ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1"证书，X509Certificate2.HasPrivateKeyAccess() 的值为 NO (false).

NOte: value for X509Certificate2.HasPrivateKeyAccess() is NO (false) for "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" certificate.

ASP.NET 应用程序使用标识 :: NT AUTHORITYNETWORK SERVICE 执行

ASP.NET application executes using the identity :: NT AUTHORITYNETWORK SERVICE

lbInfo.Text += "<br/><br/>ASP.NET application executes using the identity :: <b>" + WindowsIdentity.GetCurrent().Name + "</b><br>";


            var store = new X509Store(StoreLocation.LocalMachine);
            store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
            Certificates = store.Certificates;
            repeater1.DataSource = Certificates;
            repeater1.DataBind();

            var nombreCertificado = "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1";

            store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
            store.Open(OpenFlags.ReadOnly);

            X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindBySubjectName, nombreCertificado, false);

            if (col.Count > 0)
            {
                X509Certificate2 certificate = col[0];
                store.Close();
                Message.Text = "Certificado " + nombreCertificado + " encontrado en " + StoreLocation.LocalMachine;

                FirmarConCertificado(nombreCertificado, certificate);

            }
            else
            {
                store.Close();
                Message.Text = "El certificado " + nombreCertificado + " no esta instalado en la máquina";
            }


public void FirmarConCertificado(string nombreCertificado, X509Certificate2 certificate)
{
    try
    {
 var mensaje = "Datos de prueba";
                System.Text.Encoding enc = System.Text.Encoding.Default;
                byte[] data = enc.GetBytes(mensaje);

                var contentInfo = new System.Security.Cryptography.Pkcs.ContentInfo(data);
                var signedCms = new System.Security.Cryptography.Pkcs.SignedCms(contentInfo, true);

                var cmsSigner = new System.Security.Cryptography.Pkcs.CmsSigner(certificate);

                //  Sign the CMS/PKCS #7 message
                signedCms.ComputeSignature(cmsSigner);

                //  Encode the CMS/PKCS #7 message
               var ret = Convert.ToBase64String(signedCms.Encode());

 Message.Text += "Firmado con Certificado " + nombreCertificado + " encontrado en " + StoreLocation.LocalMachine;
 }
 catch (Exception ex)
 {
 Message.Text = "Error al firmar con certificado: " + ex.ToString();
 Message.Text += "<br /><br />InnerException: " + ex.InnerException;
 }

}

代码对我来说失败了，我收到这个错误:找不到用于解密的证书和私钥.

The code fails for me, and I get this error: Cannot find the certificate and private key for decryption.

错误行是:signedCms.ComputeSignature(cmsSigner);

Error line is:signedCms.ComputeSignature(cmsSigner);

错误 al Firmar con certificado:System.Security.Cryptography.CryptographicException:找不到证书和用于解密的私钥.

Error al firmar con certificado: System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption.

在System.Security.Cryptography.Pkcs.PkcsUtils.CreateSignerEncodeInfo(CmsSigner签名者，布尔无声)在System.Security.Cryptography.Pkcs.SignedCms.Sign(CmsSigner签名者，布尔无声)在System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner签名者，布尔无声)在System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner签字人)在ASP.dgsfp_test_testcert_aspx.FirmarConCertificado(字符串nombreCertificado, X509Certificate2证书)在c:CompanyAppTestTestCert.aspx:line242

at System.Security.Cryptography.Pkcs.PkcsUtils.CreateSignerEncodeInfo(CmsSigner signer, Boolean silent) at System.Security.Cryptography.Pkcs.SignedCms.Sign(CmsSigner signer, Boolean silent) at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer, Boolean silent) at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer) at ASP.dgsfp_test_testcert_aspx.FirmarConCertificado(String nombreCertificado, X509Certificate2 certificate) in c:CompanyAppTestTestCert.aspx:line 242

然后，admin 用户(我记得是安装证书的)执行以下命令:

Then, the admin user (I remember, who install the certificate) executes this commands:

FindPrivateKey 我的本地机器 -t "93bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c79d 81 70 a6 c4 13" –c

FindPrivateKey My LocalMachine -t "93 bc a4 ad 58 c9 3c af 8b eb 0b 2f 86 c7 9d 81 70 a6 c4 13" –c

查找私钥My LocalMachine -n​​ "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" –a

FindPrivateKey My LocalMachine -n "ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" –a

FindPrivateKey 我的本地机器 -nCN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1"-a

FindPrivateKey My LocalMachine -n "CN=ENTIDAD COMPANY INSURE SA - CIF A93 - NOMBRE SURNAME1 NAME1" –a

所有 3 个命令的结果都是一样的:

The result for all 3 commands is the same:

FindPrivateKey 帮助用户找到私钥文件的位置X.50 9 证书.

FindPrivateKey helps user to find the location of the Private Key file of a X.50 9 Certificate.

用法:FindPrivateKey [{ {-n } |{-t}} [-f |-d |-a]]

Usage: FindPrivateKey [{ {-n } | {-t } } [-f | -d | -a]]

主题名称证书

的指纹证书(使用 certmgr.exe 获取它)

thumbprint of the certificate (use certmgr.exe to get it)

-f 仅输出文件名

-d 仅输出目录

-a 输出绝对文件名称例如查找私钥我的当前用户 -n "CN=John Doe"

-a output absolute file name e.g. FindPrivateKey My CurrentUser -n "CN=John Doe"

例如FindPrivateKey 我的本地机器 -t"03 33 98 63 d0 47 e7 48 71 33 62 6476 5 c 4c 9d 42 1d 6b 52" -c

e.g. FindPrivateKey My LocalMachine -t "03 33 98 63 d0 47 e7 48 71 33 62 64 76 5 c 4c 9d 42 1d 6b 52" -c

FindPrivateKey 没有得到任何东西，但 winhttpcertcfg.exe -l 工作正常(匹配证书)

FindPrivateKey don't get anything, but winhttpcertcfg.exe -l works fine (matching certificate)

我们使用 winhttpcertcfg.exe 工具授予网络服务用户权限，并在代码 ASP.NET(在网络服务帐户下执行)中找到证书.但使用证书签名时失败.

We have given privileges to the Network Service user using the winhttpcertcfg.exe tool, and in code ASP.NET (execute under Network Service account) the certificate is found. But fails when sign using certificate.

如果有人可以给我们一些信息或建议

If someone could give us some information about, or suggestions

更新:

域domainCompanyPre_Certificado"中的用户在 Store Local Machine 中安装证书.

User in domain "domainCompanyPre_Certificado" install Certificate in Store Local Machine.

domainCompanyPre_Certificado 是管理员，在 IIS_WPG 组中，具有本地策略:作为服务登录"

domainCompanyPre_Certificado is Administrator, in IIS_WPG group, has Local Policies: "Log on as Service"

我在 IIS 6.0 中为:domainCompanyPre_Certificado 配置了 AppPool Identity

I configure AppPool Identity in IIS 6.0 for : domainCompanyPre_Certificado

ASP.NET 应用程序使用标识 :: domainCompanyPre_Certificado 执行

ASP.NET application executes using the identity :: domainCompanyPre_Certificado

我回收 AppPool 并执行应用程序，我得到 System.Security.Cryptography.CryptographicException:找不到用于解密的证书和私钥

I recycle AppPool and execute application, I get System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption

如果我再次测试，在服务器 IIS 中登录会话，使用 domainCompanyPre_Certificado 用户，我在 ASP.NET 应用程序中调用页面，一切正常.

If I test again, log in session in server IIS, using domainCompanyPre_Certificado user, I call page in ASP.NET application and all is OK.

(注意:使用终端服务器登录服务器IIS)

(note: log in server IIS using Terminal Server)

但是如果在服务器 IIS 中注销会话(用户:domainCompanyPre_Certificado)，我会得到同样的错误:

But if log off session in server IIS (user: domainCompanyPre_Certificado), I get the same error:

System.Security.Cryptography.CryptographicException:找不到用于解密的证书和私钥

System.Security.Cryptography.CryptographicException: Cannot find the certificate and private key for decryption

有什么建议吗??

推荐答案

请检查这个 文档 可以帮助您解决问题.我建议使用以下命令选项:

Please check this document which would help you to resolve the issue. I would recommend to use following command option:

winhttpcertcfg -g -c LOCAL_MACHINEMy -s MyCertificate -a TESTUSER 

这篇关于证书:无法找到用于解密的证书和私钥签名时出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！