“发生内部错误。”使用 X509Certificate2 加载 pfx 文件时
我正在尝试在共享 Web 托管服务器上使用自签名证书 (c#):
X509Certificate2 cert = new X509Certificate2(
Server.MapPath("~/App_Data/myhost.pfx"), "pass");
,但出现错误:
System.Security.Cryptography.CryptographicException: An internal error occurred.
堆栈跟踪以
System.Security.Cryptography.CryptographicException.
ThrowCryptogaphicException(Int32 hr) +33
System.Security.Cryptography.X509Certificates.X509Utils.
_LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags,
Boolean persistKeySet, SafeCertContextHandle& pCertCtx) +0
System.Security.Cryptography.X509Certificates.X509Certificate.
LoadCertificateFromFile(String fileName, Object password,
X509KeyStorageFlags keyStorageFlags) +237
System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(
String fileName, String password) +131
在我的开发计算机上加载正常结束。 我加载 *.pfx 而不是 *.cer 文件的原因是因为我需要私钥访问(cer 文件加载正常)。 我在我的开发机器上制作了 pfx,如下所示:
makecert -r -n "CN=myhost.com, [email protected]" -sky exchange -b 01/01/2009
-pe -sv myhost.pvk myhost.cer
<b>pvk2pfx</b> -pvk myhost.pvk -spc myhost.cer -pfx myhost.pfx -po pass</code>
我正在使用 makecert 的 v5.131.3790.0 版本
I'm trying use self-signed certificate (c#):
X509Certificate2 cert = new X509Certificate2(
Server.MapPath("~/App_Data/myhost.pfx"), "pass");
on a shared web hosting server and I got an error:
System.Security.Cryptography.CryptographicException: An internal error occurred.
stack trace ends with
System.Security.Cryptography.CryptographicException.
ThrowCryptogaphicException(Int32 hr) +33
System.Security.Cryptography.X509Certificates.X509Utils.
_LoadCertFromFile(String fileName, IntPtr password, UInt32 dwFlags,
Boolean persistKeySet, SafeCertContextHandle& pCertCtx) +0
System.Security.Cryptography.X509Certificates.X509Certificate.
LoadCertificateFromFile(String fileName, Object password,
X509KeyStorageFlags keyStorageFlags) +237
System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(
String fileName, String password) +131
On my dev machine it loads ok.
The reason I load *.pfx not a *.cer file because I need a private key access (cer file loads Ok).
I made pfx on my dev mochine like that:
makecert -r -n "CN=myhost.com, [email protected]" -sky exchange -b 01/01/2009
-pe -sv myhost.pvk myhost.cer
<b>pvk2pfx</b> -pvk myhost.pvk -spc myhost.cer -pfx myhost.pfx -po pass</code>
I am using version v5.131.3790.0 of makecert
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
使用本地计算机存储来获取私钥:
< code>MachineKeySet 被描述为“私钥存储在本地计算机存储中而不是当前用户存储中”。没有标志的默认设置是放置在用户存储中。
即使您从磁盘读取证书并将其存储在对象中,私钥仍存储在 Microsoft Cryptographic API Cryptographic Service Provider 密钥数据库中。在托管服务器上,ASP.NET 进程没有访问用户存储的权限。
另一种方法(根据下面的一些评论)是修改 IIS 配置或应用程序池标识 - 这确实有效。然而,这假设可以访问这些配置项,但情况可能并非如此(例如,在共享托管环境中)。
Use the local computer store for the private key:
MachineKeySetis described as "private keys are stored in the local computer store rather than the current user store". The default with no flags is to place in the user store.Even though you are reading the certificate from disk and storing it in an object the private keys are still stored in the Microsoft Cryptographic API Cryptographic Service Provider key database. On the hosting server the ASP.NET process does not have permission to access the user store.
Another approach (as per some comments below) is to modify the IIS Configuration or App Pool identity -- which do work. However, this assumes that there is access to these configuration items which may not be the case (e.g. in a shared hosting environment).
我尝试了兰迪的解决方案,将其更改为 MachineKeySet,但随后收到错误消息:
“密钥在指定状态下使用无效”
因此,经过一番谷歌搜索后,我发现了一篇建议将其更改为的帖子:
这解决了我的问题。
我尚未尝试更改 IIS 配置中的设置应用程序池设置的建议。为此,请转到站点应用程序池的高级设置,然后将“加载用户配置文件”设置为 true。当此设置为 false 时,显然无法访问密钥容器。
I tried Randy's solution of changing it to MachineKeySet, but then got the error message:
"key not valid for use in specified state"
So after a little googling around I found a post that suggested changing it to:
and this sorted out my issues.
I haven't yet tried the suggestion to change the setting app pool setting in the IIS configuration. To do this go to the Advanced Settings for your site's app pool then set "load user profile" to true. When this setting is false, the key containers aren't accessible apparently.