“找不到用于解密的证书和私钥”对于带有私钥的证书 pfx pkcs#12

发布于 2024-09-28 02:16:39 字数 1617 浏览 10 评论 0原文

我有以下 .Net 代码（asp.net）用于使用客户端证书进行签名。

我的客户端证书存储在本地计算机而不是当前用户下。

客户端证书是 pfx pkcs#12 并具有私钥

导入的私钥未标记为可导出。

我的客户端证书中的私钥受密码保护。

在上面的最后一行，我收到错误“找不到证书和用于解密的私钥”。

使用我的代码时，私钥似乎无法访问。

我是否可以将私钥与我的客户端证书关联起来？有什么建议吗？

public void FirmarConCertificado(string nombreCertificado, X509Certificate2 certificate) 
{ 
    try 
    { 
 var mensaje = "Datos de prueba"; 
                System.Text.Encoding enc = System.Text.Encoding.Default; 
                byte[] data = enc.GetBytes(mensaje); 

                var contentInfo = new System.Security.Cryptography.Pkcs.ContentInfo(data); 
                var signedCms = new System.Security.Cryptography.Pkcs.SignedCms(contentInfo, true); 

                var cmsSigner = new System.Security.Cryptography.Pkcs.CmsSigner(certificate); 

                //  Sign the CMS/PKCS #7 message 
                signedCms.ComputeSignature(cmsSigner);  // <<<<<<< FAILS HERE

                //  Encode the CMS/PKCS #7 message 
               var ret = Convert.ToBase64String(signedCms.Encode()); 

 Message.Text += "Firmado con Certificado " + nombreCertificado + " encontrado en " + StoreLocation.LocalMachine; 
 } 
 catch (Exception ex) 
 { 
 Message.Text = "Error al firmar con certificado: " + ex.ToString(); 
 Message.Text += "<br /><br />InnerException: " + ex.InnerException; 
 } 

}

编辑：可能是 AppPool 中的身份问题。用户在 LocalMachine Store 中安装证书的身份必须是网站 AppPool 的身份，并且位于 IIS_WPG 组中

解决方案：在域中创建用户，将其添加到 IIS_WPG 组中，将其添加为“身份 AppPool” 使用创建的用户在 Store Local Computer 中安装证书。。

原文

I have the following .Net code (asp.net) for sign using client certificate.

I have client certificate stored under local computer and not the current user.

The client certificate is pfx pkcs#12 and has private key

Imported private key are NOT marked as exportable.

my private key in client certificate protected by password.

On the last line above, I get the error "Cannot find the certificate
and private key for decryption ".

It looks like the Private Key is not accessible when using my code.

Is there anyway for me to associate the private key to my client certificate ? Any suggestions ?

public void FirmarConCertificado(string nombreCertificado, X509Certificate2 certificate) 
{ 
    try 
    { 
 var mensaje = "Datos de prueba"; 
                System.Text.Encoding enc = System.Text.Encoding.Default; 
                byte[] data = enc.GetBytes(mensaje); 

                var contentInfo = new System.Security.Cryptography.Pkcs.ContentInfo(data); 
                var signedCms = new System.Security.Cryptography.Pkcs.SignedCms(contentInfo, true); 

                var cmsSigner = new System.Security.Cryptography.Pkcs.CmsSigner(certificate); 

                //  Sign the CMS/PKCS #7 message 
                signedCms.ComputeSignature(cmsSigner);  // <<<<<<< FAILS HERE

                //  Encode the CMS/PKCS #7 message 
               var ret = Convert.ToBase64String(signedCms.Encode()); 

 Message.Text += "Firmado con Certificado " + nombreCertificado + " encontrado en " + StoreLocation.LocalMachine; 
 } 
 catch (Exception ex) 
 { 
 Message.Text = "Error al firmar con certificado: " + ex.ToString(); 
 Message.Text += "<br /><br />InnerException: " + ex.InnerException; 
 } 

}

EDIT: Perhaps problems with identity in AppPool. The user that install the certificate in LocalMachine Store must be identity of AppPool of WebSite, and are in IIS_WPG group.

SOLUTION: Create user in domain, add it in IIS_WPG group, add it as Identity AppPool. Install certificates in Store Local Computer using that user created.

分享到QQ

分享到微博