如何让 ASP.NET 访问证书存储中证书中的私钥? [英] How to give ASP.NET access to a private key in a certificate in the certificate store?

问题描述

我有一个 ASP.NET 应用程序，它访问证书存储中证书中的私钥.在 Windows Server 2003 上，我能够使用 winhttpcertcfg.exe 授予对 NETWORK SERVICE 帐户的私钥访问权限.如何授予访问 IIS 7.5 网站中 Windows Server 2008 R2 证书存储区(本地计算机个人)中证书私钥的权限?

I have an ASP.NET application that accesses private key in a certificate in the certificates store. On Windows Server 2003 I was able to use winhttpcertcfg.exe to give private key access to the NETWORK SERVICE account. How do I give permissions to access a Private Key in a certificate in the certificate store (Local ComputerPersonal) on a Windows Server 2008 R2 in an IIS 7.5 website?

我已尝试为所有人"、IIS AppPoolDefaultAppPool"、IIS_IUSRS"以及我可以使用证书 MMC(Server 2008 R2)找到的所有其他安全帐户授予完全信任访问权限.但是，下面的代码表明该代码无权访问使用私钥导入的证书的私钥.每次访问私钥属性时，代码都会抛出错误.

I've tried giving Full Trust access to "Everyone", "IIS AppPoolDefaultAppPool", "IIS_IUSRS", and everyother security account I could find using the Certificates MMC (Server 2008 R2). However the below code demonstrates that the code does not have access to the Private Key of a certificate that was imported with the private key. The code instead throws and error everytime the private key property is accessed.

Default.aspx

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>
<%@ Import Namespace="System.Security.Cryptography.X509Certificates" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <asp:Repeater ID="repeater1" runat="server">
            <HeaderTemplate>
                <table>
                    <tr>
                        <td>
                            Cert
                        </td>
                        <td>
                            Public Key
                        </td>
                        <td>
                            Private Key
                        </td>
                    </tr>
            </HeaderTemplate>
            <ItemTemplate>
                <tr>
                    <td>
                    <%#((X509Certificate2)Container.DataItem).GetNameInfo(X509NameType.SimpleName, false) %>
                    </td>
                    <td>
                    <%#((X509Certificate2)Container.DataItem).HasPublicKeyAccess() %>
                    </td>
                    <td>
                    <%#((X509Certificate2)Container.DataItem).HasPrivateKeyAccess() %>
                    </td>
                </tr>
            </ItemTemplate>
            <FooterTemplate>
                </table></FooterTemplate>
        </asp:Repeater>
    </div>
    </form>
</body>
</html>

</表单></html>

Default.aspx.cs<代码><预>使用系统；使用 System.Security.Cryptography；使用 System.Security.Cryptography.X509Certificates；使用 System.Web.UI；公共部分类_默认:页面{公共 X509Certificate2Collection 证书；protected void Page_Load(object sender, EventArgs e){//本地计算机个人var store = new X509Store(StoreLocation.LocalMachine);//创建并打开只读存储store.Open(OpenFlags.ReadOnly);证书 = store.Certificates;repeater1.DataSource = 证书；中继器1.DataBind();}}公共静态类扩展{公共静态字符串 HasPublicKeyAccess(此 X509Certificate2 证书){尝试{非对称算法算法 = cert.PublicKey.Key；}捕获(异常前){返回否"；}返回是"；}公共静态字符串 HasPrivateKeyAccess(此 X509Certificate2 证书){尝试{字符串算法 = cert.PrivateKey.KeyExchangeAlgorithm;}捕获(异常前){返回否"；}返回是"；}}

using System; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Web.UI; public partial class _Default : Page { public X509Certificate2Collection Certificates; protected void Page_Load(object sender, EventArgs e) { // Local ComputerPersonal var store = new X509Store(StoreLocation.LocalMachine); // create and open store for read-only access store.Open(OpenFlags.ReadOnly); Certificates = store.Certificates; repeater1.DataSource = Certificates; repeater1.DataBind(); } } public static class Extensions { public static string HasPublicKeyAccess(this X509Certificate2 cert) { try { AsymmetricAlgorithm algorithm = cert.PublicKey.Key; } catch (Exception ex) { return "No"; } return "Yes"; } public static string HasPrivateKeyAccess(this X509Certificate2 cert) { try { string algorithm = cert.PrivateKey.KeyExchangeAlgorithm; } catch (Exception ex) { return "No"; } return "Yes"; } }

推荐答案

1. 创建/购买证书.确保它有一个私钥.
2. 将证书导入本地计算机"帐户.最好使用证书 MMC.确保选中允许导出私钥"

3. 基于此，IIS 7.5 应用程序池的标识使用以下之一.

1. Create / Purchase certificate. Make sure it has a private key.
2. Import the certificate into the "Local Computer" account. Best to use Certificates MMC. Make sure to check "Allow private key to be exported"

3. Based upon which, IIS 7.5 Application Pool's identity use one of the following.

• IIS 7.5 网站在 ApplicationPoolIdentity 下运行.打开 MMC => 添加证书(本地计算机)管理单元 => 证书(本地计算机) => 个人 => 证书 => 右键单击​​感兴趣的证书 => 所有任务 => 管理私钥 => 添加 <代码>IISAppPoolAppPoolName 并授予它完全控制.将AppPoolName"替换为您的应用程序池的名称(有时是 IIS_IUSRS)
• IIS 7.5 网站在 NETWORK SERVICE 下运行.使用证书 MMC，将网络服务"添加到本地计算机个人"中证书的完全信任.
• IIS 7.5 网站在MyIISUser"本地计算机用户帐户下运行.使用证书 MMC，将MyIISUser"(一个新的本地计算机用户帐户)添加到本地计算机个人"中证书的完全信任.

• IIS 7.5 Website is running under ApplicationPoolIdentity. Open MMC => Add Certificates (Local computer) snap-in => Certificates (Local Computer) => Personal => Certificates => Right click the certificate of interest => All tasks => Manage private key => Add IIS AppPoolAppPoolName and grant it Full control. Replace "AppPoolName" with the name of your application pool (sometimes IIS_IUSRS)
• IIS 7.5 Website is running under NETWORK SERVICE. Using Certificates MMC, added "NETWORK SERVICE" to Full Trust on certificate in "Local ComputerPersonal".
• IIS 7.5 Website is running under "MyIISUser" local computer user account. Using Certificates MMC, added "MyIISUser" (a new local computer user account) to Full Trust on certificate in "Local ComputerPersonal".

更新基于@Phil Hale 评论:

Update based upon @Phil Hale comment:

请注意，如果您在域中，默认情况下将在来自位置框"中选择您的域.确保将其更改为本地计算机".将位置更改为本地计算机"以查看应用程序池标识.

Beware, if you're on a domain, your domain will be selected by default in the 'from location box'. Make sure to change that to "Local Computer". Change the location to "Local Computer" to view the app pool identities.

这篇关于如何让 ASP.NET 访问证书存储中证书中的私钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！