无法在 Azure 中访问我的 X509Certificate2 的 PrivateKey [英] Unable to access my X509Certificate2's PrivateKey In Azure

问题描述

我将 X509Certificate 存储在数据库中(在 byte[] 中)，以便我的应用程序可以检索证书并使用它来签署我的 JWT.

I have my X509Certificate stored in a database (in byte[]) so that my application can retrieve the certificate and use it to sign my JWTs.

我的 x509Certificate 是通过我在我的机器上生成的 .pfx 文件传递​​的，但是现在它以字节字符串的形式存在于数据库中.

My x509Certificate is passed off a .pfx file that I generated on my machine, however now it sits in a database as a string of bytes.

当我运行它时，我的应用程序在本地运行得非常好.该应用程序可以正确创建该 X509Certificate2 的实例并将其用于我的要求，但是当我尝试在我的 azurewebsites Web 应用程序中使用它时出现问题.

My application works perfectly fine locally when I run it. The application can correctly create an instance of that X509Certificate2 and use it for my requirements, however the problem arises when I try to use it in my azurewebsites web application.

基本上我无法访问证书的 PrivateKey 实例变量，我得到一个异常

Basically I can not access the certificates' PrivateKey instance variable, I get an exception

System.Security.Cryptography.CryptographicException: Keyset does not exist

我正在用这个重新实例化证书

And I am re-instantiating the certificate with this

var cert = new X509Certificate2(myCertInBytes, myCertPass,
            X509KeyStorageFlags.PersistKeySet |
            X509KeyStorageFlags.MachineKeySet |
            X509KeyStorageFlags.Exportable);

我正在使用 ASPNET 5 rc1-update1.我也试过在另一台机器上运行它，它工作正常，只有当我发布到 Azure 时才会出现这个问题.还要添加其他内容，当我运行使用 DNX 版本 beta7 运行的同一个项目时，此应用程序正在运行

I am using ASPNET 5 rc1-update1. I have also tried running this on a different machine and it works fine, only have this issue when I publish to Azure. And to also add something else, This application was working when I was running the same project that was running using DNX version beta7

任何帮助表示赞赏.

推荐答案

问题是 Azure Web 应用程序限制了对机器私钥存储的访问，因为它是一个共享的托管环境，并且你没有完全拥有机器.作为一种解决方法，您可以加载证书.这篇博文描述了如何做到这一点的最佳实践:https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/

The problem is the Azure Web Apps restricts access to the machines private key store, since it's a shared hosting environment, and you don't fully own the machine. As a workaround, you can load a cert. This blog post describes the best practice on how to do so: https://azure.microsoft.com/en-us/blog/using-certificates-in-azure-websites-applications/

请注意，这仅适用于基本层及以上(不适用于免费或共享层).

Please note that this only works for Basic Tier and above (not Free or Shared tier).

这也可以从 .cer 文件中完成，如下所示，但是应该注意，这不是最佳实践，因为您在代码中以不安全的格式存储了安全凭证.

This can also be done from a .cer file as follows, however it should be noted that this is not best-practices since you're storing a secure credential with your code, in an insecure format.

public X509Certificate2 CertificateFromStrings(String certificateString64, String privateKeyXml)
{
    try
    {
        var rsaCryptoServiceProvider = new RSACryptoServiceProvider();
        rsaCryptoServiceProvider.FromXmlString(privateKeyXml);

        var certificateBytes = Convert.FromBase64String(certificateString64);
        var x509Certificate2 = new X509Certificate2(certificateBytes);
        x509Certificate2.PrivateKey = rsaCryptoServiceProvider;

        return x509Certificate2;
    }
    catch
    {
        return null;
    }
}

这篇关于无法在 Azure 中访问我的 X509Certificate2 的 PrivateKey的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！