Windows 服务的 X509 证书存储在哪里?
我有一个 Windows 服务,通常使用本地系统帐户运行(尽管在某些安装中它可能作为特定的用户帐户)。
该服务使用 WCF,并使用 X509 证书保护通信。
我的问题是,存储证书(和私钥)的最佳位置在哪里?
如果使用证书存储是最佳方法,我应该使用哪一种来确保只有管理员和服务才能访问私钥?
或者,一个简单的选择是将两者简单地存储为磁盘上的 PFX 文件,并使用 ACL 确保只有管理员和服务可以访问它。与使用证书存储相比,这种方法有哪些优缺点?
编辑 澄清一下,我将 C# 与 .NET Framework 3.5 一起使用
I have a Windows service that will normally be run using the Local System Account (although in some installations it may as a specific user account).
The service is using WCF, with communication secured using X509 certificates.
My question is, where is the best place to store the certificate (and private key)?
If using a certificate store is the best approach, which one should I use to ensure that only Administrators and the service can access the private key?
Alternatively, a simple option would be to simply store both as a PFX file on disk, and use ACLs to ensure only Administrators and the service have access to it. What are the pros and cons of this approach vs using a certificate store?
EDIT
To clarify, I am using C# with the .NET Framework 3.5
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
首先,我建议您将证书保存在证书存储中,并将私钥保存为不可导出。现在一些论点。
有不同的方法可以在机器上保存私人秘密或其他私人信息。最旧的方法是
LsaStorePrivateData
和LsaRetrievePrivateData
API(请参阅 http://msdn.microsoft.com/en-us/library/ms721818%28VS.85%29.aspx)。它对秘密的数量有限制,但所有秘密可以分为本地、全局和机器。下一种方法是使用 DPAPI(请参阅 http://msdn.microsoft.com/en -us/library/ms995355.aspx):在我们的例子中,
CryptProtectData
和CryptUnprotectData
。我添加对这两种方法的引用是因为您想要比较不同的可能方法以确保您的方法最适合您的任务。
我认为您应该问的最重要的问题是:保护我的私钥的最佳方法是什么?我认为你应该选择保护你的密钥不被复制的方式。所以我建议您使用证书存储。在证书存储中,您可以保存标记为不可导出的私钥。我认为这是主要优点。您可以通过不同的方式部署带有相应私钥的证书。请确保保存在计算机上的私钥未标记为可导出。
使用磁盘上的 PFX 文件不会给您带来这种优势。此外,您的 PFX 未加密,或者您遇到应将密码保存到 PFX 文件的问题。因此,您必须使用 DPAPI(
CryptProtectData
和CryptUnprotectData
)或 LSA API(LsaStorePrivateData
和LsaRetrievePrivateData
)和密码可以导出。First of all I recommend you to hold certificate in a certificate store with private key saved as non exportable. Now some arguments.
There are different ways to save on a machine a private secret or other private information. The most old way is
LsaStorePrivateData
andLsaRetrievePrivateData
API (see http://msdn.microsoft.com/en-us/library/ms721818%28VS.85%29.aspx). It has restriction to the number of secrets, but all secrets can be divided to local, global, and machine.Next way is using DPAPI (see http://msdn.microsoft.com/en-us/library/ms995355.aspx):
CryptProtectData
andCryptUnprotectData
in our case.I add references to this two ways because you want compare different possible ways to be sure that your way is the best for your task.
I think the most important question which you should ask is: which is the best way to protect my private key? I think you should choose the way, which protect your key to be copied. So I recommend you use certificate store. In a certificate store you can hold private key marked non exportable. This is the main advantage in my opinion. You can deploy the certificate with the corresponding private key with different ways. Be sure, that the private key saved on the machine are not marked as exportable.
Using of PFX file on disk gives you not this advantage. Moreover either your PFX is not encrypted or you receive a problem where you should save the password to the PFX file. So you have to use DPAPI (
CryptProtectData
andCryptUnprotectData
) or LSA API (LsaStorePrivateData
andLsaRetrievePrivateData
) and the password can be exported.