我正在尝试从路径加载证书并在 Windows 服务器上收到内部服务器错误。当我在 Windows 10 上执行此操作时,一切正常。
控制台应用程序代码不工作
var path = args[0];
var password = args[1];
var certificate2 = new X509Certificate2(path, password);
但是出现错误
Unhandled exception. Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: An internal error occurred.
at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(String fileName, String password)
at CertCoreTest.Program.Main(String[] args) in C:\Users\Admin\Documents\Visual Studio 2019\Projects\CertTest\CertCoreTest\Program.cs:line 12
破解工作代码(不知道为什么它有效)
var path = args[0];
var password = args[1];
Chilkat.Cert cert = new Chilkat.Cert();
var success = cert.LoadPfxData(File.ReadAllBytes(path), password);
if (success == false)
{
throw new Exception(cert.LastErrorText);
}
var bytes = cert.ExportToPfxData(password, true);
var ceeert = new X509Certificate2(bytes, password);
如何在不使用 chilkat 库的情况下使其在 Windows 服务器上工作?
如果您的代码在 IIS 下的 Web 应用程序中运行:
否则,尝试指定 UserKeySet(PFX 内部可能包含“使用机器存储”标记):
var path = args[0];
var password = args[1];
var certificate2 = new X509Certificate2(path, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);
否则,在本地计算机上安装证书并尝试通过指纹从存储加载:
string certificateThumbprint = "<...thumbprint...>";
X509Certificate2 certificate = null;
using (X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine)) {
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection certificates =
store.Certificates.Find(X509FindType.FindByThumbprint,
certificateThumbprint, false);
if (certificates.Count > 0)
certificate = certificates[0];
}
如果上述方法失败,则可能无法使用 Windows 2012 内置工具将 .p12 文件导入到 Windows 2012 中。要检查: 对于每个 PKCS #12 文件,您可以尝试以下操作:发出命令
certutil -asn <filename> | findstr /i "pb aes des sha"如果输出开始如下:
| | | | | ; 1.2.840.113549.1.12.1.3 szOID_PKCS_12_pbeWithSHA1And3KeyTripleDES
然后应该可以将 PKCS #12 文件导入到 Windows 2016 中。
如果输出开始如下:
| | | | | ; 1.2.840.113549.1.5.13 szOID_PKCS_5_PBES2
| | | | | | ; 1.2.840.113549.1.5.12 szOID_PKCS_5_PBKDF2
| | | | | ; 2.16.840.1.101.3.4.1.42 aes256
或类似的情况,则 PKCS #12 文件可能无法使用内置的 Windows 2016 工具导入到 Windows 2016 中。您必须使用 TripleDES 和 SHA1 重新创建 PKCS #12 文件。” - 请参阅线程:https://learn.microsoft.com/en-us/answers/questions/518605/importing-a-pkcs12-to-windows -server-2016.html
使用本地计算机存储来获取私钥:
X509Certificate2 cert = new X509Certificate2("yourhost.pfx", "password", X509KeyStorageFlags.MachineKeySet);
MachineKeySet被描述为私钥存储在本地计算机存储中而不是当前用户存储中。没有标志的默认设置是放置在用户存储中。
即使您从磁盘读取证书并将其存储在对象中,私钥仍存储在 Microsoft Cryptographic API 加密服务提供商密钥数据库中。 在托管服务器上,
ASP.NET另一种方法:(如果您将应用程序控制台更改为Web)
修改 IIS 配置或应用程序池标识——这确实有效。但是,这假设可以访问这些配置项,但情况可能并非如此(例如在共享托管环境中)。
您可以阅读有关 MSDN.System.Security.Cryptography.X509Certificates 的更多信息
您是否尝试过将字节数据传递到
X509Certificate2从 HTTP 调用加载时我遇到了类似的问题。我必须通过
cert.GetRawCertData()using System;
using System.Security.Cryptography;
using System.Security.Permissions;
using System.IO;
using System.Security.Cryptography.X509Certificates;
class CertInfo
{
//Reads a file.
internal static byte[] ReadFile (string fileName)
{
FileStream f = new FileStream(fileName, FileMode.Open, FileAccess.Read);
int size = (int)f.Length;
byte[] data = new byte[size];
size = f.Read(data, 0, size);
f.Close();
return data;
}
//Main method begins here.
static void Main(string[] args)
{
//Test for correct number of arguments.
if (args.Length < 1)
{
Console.WriteLine("Usage: CertInfo <filename>");
return;
}
try
{
X509Certificate2 x509 = new X509Certificate2();
//Create X509Certificate2 object from .cer file.
byte[] rawData = ReadFile(args[0]);
x509.Import(rawData);
//Print to console information contained in the certificate.
Console.WriteLine("{0}Subject: {1}{0}", Environment.NewLine, x509.Subject);
Console.WriteLine("{0}Issuer: {1}{0}", Environment.NewLine, x509.Issuer);
Console.WriteLine("{0}Version: {1}{0}", Environment.NewLine, x509.Version);
Console.WriteLine("{0}Valid Date: {1}{0}", Environment.NewLine, x509.NotBefore);
Console.WriteLine("{0}Expiry Date: {1}{0}", Environment.NewLine, x509.NotAfter);
Console.WriteLine("{0}Thumbprint: {1}{0}", Environment.NewLine, x509.Thumbprint);
Console.WriteLine("{0}Serial Number: {1}{0}", Environment.NewLine, x509.SerialNumber);
Console.WriteLine("{0}Friendly Name: {1}{0}", Environment.NewLine, x509.PublicKey.Oid.FriendlyName);
Console.WriteLine("{0}Public Key Format: {1}{0}", Environment.NewLine, x509.PublicKey.EncodedKeyValue.Format(true));
Console.WriteLine("{0}Raw Data Length: {1}{0}", Environment.NewLine, x509.RawData.Length);
Console.WriteLine("{0}Certificate to string: {1}{0}", Environment.NewLine, x509.ToString(true));
Console.WriteLine("{0}Certificate to XML String: {1}{0}", Environment.NewLine, x509.PublicKey.Key.ToXmlString(false));
//Add the certificate to a X509Store.
X509Store store = new X509Store();
store.Open(OpenFlags.MaxAllowed);
store.Add(x509);
store.Close();
}
catch (DirectoryNotFoundException)
{
Console.WriteLine("Error: The directory specified could not be found.");
}
catch (IOException)
{
Console.WriteLine("Error: A file in the directory could not be accessed.");
}
catch (NullReferenceException)
{
Console.WriteLine("File must be a .cer file. Program does not have access to that type of file.");
}
}
}
设置 MachineKeySet 标志将解决加载证书的问题,但在尝试使用它进行签名或解密时,您最终会收到“访问被拒绝”错误,因此您将切换到 BoucyCastle。