＆QUOT;发生内部错误＆QUOT。加载PFX文件与X509Certificate2时 [英] "An internal error occurred." when loading pfx file with X509Certificate2

问题描述

我想使用自签名证书（C＃）：

I'm trying use self-signed certificate (c#):

X509Certificate2 cert = new X509Certificate2(
    Server.MapPath("~/App_Data/myhost.pfx"), "pass");

一个共享的虚拟主机服务器上，我得到了一个错误：

on a shared web hosting server and I got an error:

System.Security.Cryptography.CryptographicException: An internal error occurred.

堆栈跟踪结尾

System.Security.Cryptography.CryptographicException.
    ThrowCryptogaphicException(Int32 hr) +33
System.Security.Cryptography.X509Certificates.X509Utils.
    _LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags, 
        Boolean persistKeySet, SafeCertContextHandle& pCertCtx) +0
System.Security.Cryptography.X509Certificates.X509Certificate.
    LoadCertificateFromFile(String fileName, Object password, 
        X509KeyStorageFlags keyStorageFlags) +237
System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(
    String fileName, String password) +131

在我的开发计算机加载确定。
因为我需要一个私钥访问（CER文件加载好）我加载* .PFX不是* .CER文件的原因。

On my dev machine it loads ok. The reason I load *.pfx not a *.cer file because I need a private key access (cer file loads Ok). I made pfx on my dev mochine like that:

makecert -r -n "CN=myhost.com, E=admin@myhost.com" -sky exchange -b 01/01/2009
    -pe -sv myhost.pvk myhost.cer
<b>pvk2pfx</b> -pvk myhost.pvk -spc myhost.cer -pfx myhost.pfx -po pass</code>

makecert的

我使用的版本v5.131.3790.0

I am using version v5.131.3790.0 of makecert

推荐答案

使用本地计算机存储私钥：

Use the local computer store for the private key:

X509Certificate2 cert = new X509Certificate2("myhost.pfx", "pass",
    X509KeyStorageFlags.MachineKeySet);

<一个href=\"http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags.aspx\"><$c$c>MachineKeySet被描述为私有密钥存储在本地计算机存储，而不是在当前用户商店。没有标志默认为用户存储的地方。

MachineKeySet is described as "private keys are stored in the local computer store rather than the current user store". The default with no flags is to place in the user store.

即使你是从磁盘读取证书，并将其存储在私有密钥仍然存储在Microsoft加密API加密服务提供密钥数据库的对象。在托管服务器的ASP.NET进程没有权限访问用户存储。

Even though you are reading the certificate from disk and storing it in an object the private keys are still stored in the Microsoft Cryptographic API Cryptographic Service Provider key database. On the hosting server the ASP.NET process does not have permission to access the user store.

另一种方法（按照下面的一些评论）是修改IIS配置或应用程序池的身份 - 这做的工作。然而，这种假设有获得这些配置项目了不得的情况下（例如，在一个共享的主机环境）。

Another approach (as per some comments below) is to modify the IIS Configuration or App Pool identity -- which do work. However, this assumes that there is access to these configuration items which may not be the case (e.g. in a shared hosting environment).

这篇关于＆QUOT;发生内部错误＆QUOT。加载PFX文件与X509Certificate2时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！