无法在 WIF 场景中使用证书签署安全令牌
我正在尝试为我正在调查的 WIF 场景实现自定义 STS,但失败了。尝试从用于签署令牌的证书获取私钥时失败。我使用以下配置创建 STS:
var signingCert = new X509Certificate2(@"C:\<path>\MySigningCertificate.pfx");
var config
= new SecurityTokenServiceConfiguration()
{
DisableWsdl = true,
TokenIssuerName = "Tribold",
SecurityTokenService = typeof(TriboldSecurityTokenService),
SigningCredentials = new X509SigningCredentials(signingCert),
CertificateValidationMode = X509CertificateValidationMode.Custom,
CertificateValidator = new CertificateValidator()
};
但是,配置了 WCF 诊断日志记录后,我在服务跟踪查看器中收到以下消息:
The private key is not present in the X.509certificate.
这将出现当代码来自我的自定义 STS 时被记录(即,在我的自定义 STS 类上调用 GetOutputClaimsIdentity(...) 之后,因此我只能假设它现在正在尝试签署已发布的安全令牌和失败因为它无法获取私钥来执行此操作,
私钥似乎存在于加载的证书上:
Debug.Assert(signingCert.HasPrivateKey == true);
但后来我无法解决此问题,请帮忙!
I'm trying to implement a custom STS for a WIF scenario I'm investigating, but it's failing. It's failing when trying to obtain the private key from the certificate used to sign the tokens. I create the STS with the following configuration:
var signingCert = new X509Certificate2(@"C:\<path>\MySigningCertificate.pfx");
var config
= new SecurityTokenServiceConfiguration()
{
DisableWsdl = true,
TokenIssuerName = "Tribold",
SecurityTokenService = typeof(TriboldSecurityTokenService),
SigningCredentials = new X509SigningCredentials(signingCert),
CertificateValidationMode = X509CertificateValidationMode.Custom,
CertificateValidator = new CertificateValidator()
};
However, with WCF diagnostic logging configured, I get the following message in the Service Trace Viewer:
The private key is not present in the X.509 certificate.
This appears to be logged as the code comes out of my custom STS (i.e., after calling GetOutputClaimsIdentity(...) on my custom STS class, and therefore I can only assume that it's now trying to sign the issued security token and failing because it can't obtain a private key to do so.
The private key appears to be present on the loaded certificate:
Debug.Assert(signingCert.HasPrivateKey == true);
but it fails later on. I'm having no luck resolving this, please help!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
看起来像线程 " 无法使用 .pfx日内瓦 (= AD FS 2.0) 论坛中的“X.509 证书文件” 涵盖了您报告的相同问题。因此报告的解决方案可能有效,即“在启动
X509Certificate2对象时指定X509KeyStorageFlags.PersistKeySet标志”。It looks like thread "cant use .pfx file for X.509 certificates" in the Geneva (= AD FS 2.0) forums covers the same problem which you report. So the resolution reported there might work, which is "specifying the
X509KeyStorageFlags.PersistKeySetflag when initiating theX509Certificate2object".如果您在打开 PFX 文件时不必指定密码,我会感到惊讶。 X509Certificate2 具有重载,它采用字符串或密码形式安全字符串。
I'd be surprised if you didn't have to specify a password when opening a PFX file. X509Certificate2 has overloads that take a password in the form of a string or a SecureString.