我在本地服务器上放置哪个证书存储
我已经为我们正在开发的.NET 6应用程序设置了Azure KeyVault。
它基本上由;
- 创建证书
- 将证书安装到您的个人用户商店中,
- 将其添加到相关的Azure应用程序注册中,
- 添加访问策略
- 将以下代码添加到该应用程序中
using var x509Store = new X509Store(StoreLocation.CurrentUser);
x509Store.Open(OpenFlags.ReadOnly);
var x509Certificate = x509Store.Certificates
.Find(
X509FindType.FindByThumbprint,
builder.Configuration.GetSection("AzureAd")["CertificateThumbprint"],
validOnly: false)
.OfType<X509Certificate2>()
.Single();
builder.Configuration.AddAzureKeyVault(
new Uri($"https://{builder.Configuration.GetSection("KeyVault")["Name"]}.vault.azure.net/"),
new ClientCertificateCredential(
builder.Configuration.GetSection("AzureAd")["DirectoryId"],
builder.Configuration.GetSection("AzureAd")["ApplicationId"],
x509Certificate));
,并且在本地运行时可以很好地工作。我现在的问题是我需要将其部署到运行IIS的本地服务器。
该行
using var x509Store = new X509Store(StoreLocation.CurrentUser);
告诉它搜索“当前用户”证书存储。在本地运行时,这是可以的,就像我一样,但是在服务器上运行时,特别是IIS 10的Windows Server 2019,是谁,这甚至是正确的事情。
我的问题归结为两件事。
1-如果我按原样使用此代码,那么在服务器上运行时是“ currentuser”。我认为这是ApplicationPoolidentity用户(IISAPPPOOL/nameOfPool)。如果是这样,我该如何将证书添加到他们的商店?
2-另外,我假设我可以将storelocation.currentuser更改为storelocation.localmachine,然后将证书安装到本地计算机上。这应该有效,但是是否有缺点?
I've set up Azure KeyVault for a .NET 6 application we have in development.
I followed the instructions here - https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-6.0#use-application-id-and-x509-certificate-for-non-azure-hosted-apps
It basically consists of;
- Create a certificate
- Install the certificate into your Personal user store
- Add that to the relevant Azure App Registration
- Add the access policies
- Add the following bit of code to the app
using var x509Store = new X509Store(StoreLocation.CurrentUser);
x509Store.Open(OpenFlags.ReadOnly);
var x509Certificate = x509Store.Certificates
.Find(
X509FindType.FindByThumbprint,
builder.Configuration.GetSection("AzureAd")["CertificateThumbprint"],
validOnly: false)
.OfType<X509Certificate2>()
.Single();
builder.Configuration.AddAzureKeyVault(
new Uri(quot;https://{builder.Configuration.GetSection("KeyVault")["Name"]}.vault.azure.net/"),
new ClientCertificateCredential(
builder.Configuration.GetSection("AzureAd")["DirectoryId"],
builder.Configuration.GetSection("AzureAd")["ApplicationId"],
x509Certificate));
And that works perfectly when running locally. My issue now is I need to deploy this to an on-prem server running IIS.
This line
using var x509Store = new X509Store(StoreLocation.CurrentUser);
Tells it to search the 'Current Users' certificate store. This is fine when running locally, as that's me, but when running on a server, specifically a Windows Server 2019 with IIS 10, who is that, and is this even the right thing to do.
My question comes down to two things.
1 - If I use this code as is, who is the 'CurrentUser' when running on a server. I assume it is the ApplicationPoolIdentity user (IISAppPool/NameOfPool). If so, how do I add a certificate to their store?
2 - Alternatively, I assume I could change the StoreLocation.CurrentUser to StoreLocation.LocalMachine, and install the certificate to the local machine. This should work, but are there downsides to this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
只要证书不可启用,将商店设置为LocalMachine就可以了。
Setting the store to LocalMachine is fine as long as the cert is non-exportable.