Azure 网站中的站点无法处理 X509Certificate2 [英] Site in Azure Websites fails processing of X509Certificate2

问题描述

我在 Azure 网站(不是托管服务)中有站点，我需要在那里处理带有私钥的 .pfx 证书.

I have site in Azure Websites (not Hosted Service) and I need processing .pfx certificates with private key there.

var x509Certificate2 = new X509Certificate2(certificate, password);

但我遇到了以下异常:

System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)

在文章 http://blog.tylerdoerksen.com/2013/08/23/pfx-certificate-files-and-windows-azure-websites/ 我发现这是因为默认情况下系统使用用户的本地目录来存储密钥.但是 Azure 网站没有本地用户配置文件目录.在同一篇文章中作者建议使用 X509KeyStorageFlags.MachineKeySet 标志.

In article http://blog.tylerdoerksen.com/2013/08/23/pfx-certificate-files-and-windows-azure-websites/ I have found that it happens because by default the system uses a local directory of user to store the key. But Azure Websites have no local user profile directory. In the same article author propose to use X509KeyStorageFlags.MachineKeySet flag.

var x509Certificate2 = new X509Certificate2(certificate, password, X509KeyStorageFlags.MachineKeySet);

但现在我有其他例外:

System.Security.Cryptography.CryptographicException: Access denied.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)

谁能帮我理解它为什么会发生以及如何解决它?

Can anybody help me to understand why it happens and how to fix it?

推荐答案

我猜你找到了解决方法，但如果其他人正在为此苦苦挣扎，我在另一个 SO 问题中找到了答案:

I guess you found a workaround, but if others are struggling with this, I found the answer to this in another SO question:

如何构造 X509Certificate2从 PKCS#12 字节数组 throw CryptographicException("系统找不到指定的文件.")?

神奇的是指定 X509KeyStorageFlags 存储标志.示例:

The magic is specifying the X509KeyStorageFlags storage flags. Example:

var myCertificae = new X509Certificate2(
    certificateData,
    securePasswordString,
    X509KeyStorageFlags.MachineKeySet | 
    X509KeyStorageFlags.PersistKeySet | 
    X509KeyStorageFlags.Exportable);

这篇关于Azure 网站中的站点无法处理 X509Certificate2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！