我可以在 ASP.NET 中使用 X509Certificate2 而不使用证书存储吗?
我正在尝试在 Rackspace 云中的 ASP.NET Web 服务中使用 X509Certificate。我有一种感觉,存储在云节点上的证书可能会引起问题。我也有一个与此相关的问题,但我在 使用 iPhone Apple 推送通知提供程序 (apns-sharp) C# 时出现 SslStream.AuthenticateAsClient 异常
在 apns-sharp 项目中,我使用了以下代码:
certificate = new X509Certificate2(p12File)
但是,我收到了一个异常,并将代码更改为以下解决了X509Certificate2 异常。新代码如下:
certificate = new X509Certificate2(p12File, String.Empty, X509KeyStorageFlags.MachineKeySet);
我想知道是否可以在 ASP.NET 中使用 X509Certificate2 而不使用证书存储?证书存储是否会导致 Rackspace 云节点出现问题?
更新 #1 Rackspace 告诉我不允许访问本地计算机证书存储。还有其他方法可以绕过使用证书存储吗?也许使用第三方库?
I am trying to use an X509Certificate within an ASP.NET web service within the Rackspace Cloud. I have a feeling the certificate stores on the cloud nodes maybe causing problems. I also have a question related to this with the exception that I am receiving at SslStream.AuthenticateAsClient Exception when using iPhone Apple Push Notification Provider (apns-sharp) C#
Within the apns-sharp project I was using the following code:
certificate = new X509Certificate2(p12File)
However I received an exception and changing the code to the following resolved the X509Certificate2 exception. The new code is as follows:
certificate = new X509Certificate2(p12File, String.Empty, X509KeyStorageFlags.MachineKeySet);
I would like to know if I can use an X509Certificate2 within ASP.NET without using a certificate store? Would the certificate stores be causing problems with the Rackspace Cloud nodes?
Update #1 Rackspace tell me that access to the Local Machine Certificate store is not permitted. Is there any other way to bypass using the certificate store? Maybe using a third party library?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
第一个构造函数不起作用的原因是 ASP.NET 不加载用户配置文件存储,如果您不使用
X509KeyStorageFlags指定存储位置,则该存储是默认存储。但是,机器存储始终由 ASP.NET 加载,这就是第二个构造函数起作用的原因。我假设您打算使用证书上的私钥进行加密或创建数字签名(散列),在这种情况下,您无法避免使用证书存储,因为只能从导入的证书以编程方式访问私钥,并且不直接来自 blob 或文件。
我认为如果证书数据仅包含公钥(因为没有要保护的敏感数据),则不会使用证书存储 - 我注意到,当我打算使用证书时,我只需要指定机器存储包含私钥。
不过,我无法评论 Rackspace 的情况 - 在部分受信任的环境中运行的代码中导入证书可能会出现问题,因为加载私钥容器需要特定的权限,而这些权限可能不会授予您的程序集。
The reason the first constructor doesn't work is that ASP.NET does not load the user profile store, which is the default store if you don't specify a storage location using
X509KeyStorageFlags. However, the machine store is always loaded by ASP.NET, which is why the second constructor works.I'm assuming that you intend to use the private key on the certificate for encryption or creating digital signatures (hashing), in which case you can't avoid using a certificate store as private keys can only be accessed programmatically from imported certificates, and not directly from blobs or files.
I don't think the certificate store is used if the certificate data only contains the public key (as there is no sensitive data to protect) - I've noticed that I only need to specify the machine store when I intend to work with certificates that contain a private key.
I can't comment on the Rackspace situation though - there may be issues with importing certificates in code running in a partially-trusted environment, as loading a private key container demands specific permissions that may not be granted to your assembly.
我已经从文件中导入了 X509Certificate2,并使用此代码提供了私钥和公钥:
我的经验是让它工作的关键是 X509KeyStorageFlags.Exportable。没有它,我就无法访问私钥。
I have imported an X509Certificate2 from a file and have both the private key and public key available using this code:
My experience was that the key to having it work was the X509KeyStorageFlags.Exportable. Without that, I could not access the private key.