如何授予ASP.NET访问证书存储区中证书的私钥的权限？

111

我有一个ASP.NET应用程序，可以访问证书存储区中证书的私钥。在Windows Server 2003上，我可以使用winhttpcertcfg.exe授予对NETWORK SERVICE帐户的私钥访问权限。如何在IIS 7.5网站中的Windows Server 2008 R2上授予访问证书存储区（本地计算机\个人）中证书的私钥的权限？

我尝试授予对“每个人”，“ IIS AppPool \ DefaultAppPool”，“ IIS_IUSRS”以及我可以使用证书MMC（Server 2008 R2）找到的所有其他安全帐户的完全信任访问权限。但是，以下代码演示该代码无权访问随私钥一起导入的证书的私钥。每次访问私钥属性时，代码都会引发错误。

Default.aspx

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>
<%@ Import Namespace="System.Security.Cryptography.X509Certificates" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <asp:Repeater ID="repeater1" runat="server">
            <HeaderTemplate>
                <table>
                    <tr>
                        <td>
                            Cert
                        </td>
                        <td>
                            Public Key
                        </td>
                        <td>
                            Private Key
                        </td>
                    </tr>
            </HeaderTemplate>
            <ItemTemplate>
                <tr>
                    <td>
                    <%#((X509Certificate2)Container.DataItem).GetNameInfo(X509NameType.SimpleName, false) %>
                    </td>
                    <td>
                    <%#((X509Certificate2)Container.DataItem).HasPublicKeyAccess() %>
                    </td>
                    <td>
                    <%#((X509Certificate2)Container.DataItem).HasPrivateKeyAccess() %>
                    </td>
                </tr>
            </ItemTemplate>
            <FooterTemplate>
                </table></FooterTemplate>
        </asp:Repeater>
    </div>
    </form>
</body>
</html>

Default.aspx.cs

using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Web.UI;
public partial class _Default : Page 
{
    public X509Certificate2Collection Certificates;
    protected void Page_Load(object sender, EventArgs e)
    {
        // Local Computer\Personal
        var store = new X509Store(StoreLocation.LocalMachine);
        // create and open store for read-only access
        store.Open(OpenFlags.ReadOnly);
        Certificates = store.Certificates;
        repeater1.DataSource = Certificates;
        repeater1.DataBind();
    }
}
public static class Extensions
{
    public static string HasPublicKeyAccess(this X509Certificate2 cert)
    {
        try
        {
            AsymmetricAlgorithm algorithm = cert.PublicKey.Key;
        }
        catch (Exception ex)
        {
            return "No";
        }
        return "Yes";
    }
    public static string HasPrivateKeyAccess(this X509Certificate2 cert)
    {
        try
        {
            string algorithm = cert.PrivateKey.KeyExchangeAlgorithm;
        }
        catch (Exception ex)
        {
            return "No";
        }
        return "Yes";
    }
}

— 泰晤士河
source

195

创建/购买证书。确保它具有私钥。
将证书导入“本地计算机”帐户。最好使用证书MMC。确保选中“允许私钥导出”
基于此，IIS 7.5应用程序池的标识使用以下之一。
- IIS 7.5网站正在ApplicationPoolIdentity下运行。打开MMC =>添加证书（本地计算机）管理单元=>证书（本地计算机）=>个人=>证书=>右键单击感兴趣的证书=>所有任务=>管理私钥=>添加IIS AppPool\AppPoolName并授予它Full control。将“ AppPoolName ” 替换为应用程序池的名称（有时为IIS_IUSRS）
- IIS 7.5网站正在“网络服务”下运行。使用证书MMC，将“网络服务”添加到“本地计算机\个人”中对证书的完全信任。
- IIS 7.5网站正在“ MyIISUser”本地计算机用户帐户下运行。使用证书MMC，将“ MyIISUser”（新的本地计算机用户帐户）添加到“本地计算机\个人”中对证书的完全信任。

基于@Phil Hale评论的更新：

请注意，如果您使用的是域，则默认情况下会在“来自位置”框中选择您的域。确保将其更改为“本地计算机”。将位置更改为“本地计算机”以查看应用程序池标识。

— 泰晤士河
source

3

如何在Windows Server 2008 R2中配置（“ XXX”为对“本地计算机\个人”中的证书的完全信任）？运行/ mmc /文件/添加管理单元/证书和??? 谢谢

— Cobaia

7

当您向本地计算机\个人打开MMC证书时，单击“证书”以查看证书。（注意：以下内容假定证书已经导入，如果尚未导入，则先导入证书）右键单击要授予“完全控制”权限的证书。在上下文菜单中，单击“所有任务”，然后在子菜单中单击“管理私钥”。在这里，您可以添加任何您想要对证书的私钥进行“读取”访问的用户。

— 泰晤士河

5

确保在“来自位置”框中选择了本地计算机。这让我难过了一会儿。默认情况下，该域处于选中状态，因此在我将位置更改为本地计算机之前，它找不到应用程序池标识用户

— Phil Hale 2012年

3

在AWS的Windows 2012 R2 EC2 VM（基于IIS 8）上，您需要授予IIS_IUSRS对证书私钥的访问权限

— DeepSpace101

4

任何想法如何通过PowerShell做到这一点？

— sonjz

43

关于通过MMC，证书，选择证书，右键单击所有任务，“管理私钥”授予权限的说明

“管理私钥”仅在“个人...”的菜单列表中。因此，如果您将证书放在“受信任的人”等中，则很不走运。

我们找到了一种对我们有用的方法。将证书拖放到“个人”，执行“管理私钥”以授予权限。记住要设置为使用对象类型内置函数，并使用本地计算机而非域。我们授予了DefaultAppPool用户权限，并保留了该权限。

完成后，将证书拖放回原来的位置。Presto。

— 加勒特·戈贝尔
source

是的，这很好。我在以下帖子的答案中提到了它，但是，即使接受的答案更长，并且需要下载WCF文件，另一个答案也被接受。stackoverflow.com/questions/10580326/...

— 泰晤士

2

Win2003服务器的任何解决方案？它没有像Windows 7这样的“管理私钥”选项

— sonjz 2012年

1

@sonjz-查看此technet，它提到使用命令行winhttpcertcfg

— mlhDev

如果除个人以外的其他任何用途都需要用于证书的私钥，则很可能您在做错什么...所有其他位置都用于您信任的其他/外部实体。您不应该拥有他们的私钥。他们的公钥（证书）应该足够了。我什至不敢说，如果您拥有他们的私钥，就不要信任他们。

— 马丁

15

如果你正试图从IIS中的.pfx文件加载证书的解决方案可能是简单的启用该选项的Application Pool。

右键单击“应用程序池”，然后选择Advanced Settings。

然后启用 Load User Profile

— 西蒙·韦弗
source

1

为什么这会有所作为？

— MichaelD

3

它必须只是将窗户连接起来的方式。它可能是暂时将配置文件加载到用户配置文件中，因此需要此选项。我同意奇怪的是，当从IIS可以访问的文件进行加载时，这是必需的。

— Simon_Weaver

当我为PDF设置数字签名时，这对我有帮助。

— Fred Wilson

7

我想出了在Powershell中有人问过的方法：

$keyname=(((gci cert:\LocalMachine\my | ? {$_.thumbprint -like $thumbprint}).PrivateKey).CspKeyContainerInfo).UniqueKeyContainerName
$keypath = $env:ProgramData + “\Microsoft\Crypto\RSA\MachineKeys\”
$fullpath=$keypath+$keyname

$Acl = Get-Acl $fullpath
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("IIS AppPool\$iisAppPoolName", "Read", "Allow")
$Acl.SetAccessRule($Ar)
Set-Acl $fullpath $Acl

— 伊恩·罗伯逊
source

6

对我而言，无非就是重新选中“允许导出私钥”的证书。

我认为这是有必要的，但这确实使我感到紧张，因为它是访问此证书的第三方应用程序。

— 内森·哈特利
source

谢谢，我这样做是这样的：X509Certificate2 cert = new X509Certificate2（certBytes，password，X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet）;

— Juan Lozoya

1

补充答案，这是查找证书的私钥并添加权限的指南。

这是在指南中找到FindPrivateKey.exe的指南，用于查找证书的私钥。

— 胡安·洛佐亚（Juan Lozoya）
source

0

尽管我已经参加了上述会议，但经过多次尝试，我还是来到了这一点。1-如果要从商店访问证书，则可以作为示例进行此操作2-生成证书并通过路径使用它更容易，更清洁

Asp.net Core 2.2 OR1：

using Org.BouncyCastle.Asn1;
using Org.BouncyCastle.Asn1.Pkcs;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Operators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Crypto.Prng;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Pkcs;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Utilities;
using Org.BouncyCastle.X509;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading.Tasks;

namespace Tursys.Pool.Storage.Api.Utility
{
    class CertificateManager
    {
        public static X509Certificate2 GetCertificate(string caller)
        {
            AsymmetricKeyParameter caPrivateKey = null;
            X509Certificate2 clientCert;
            X509Certificate2 serverCert;

            clientCert = GetCertificateIfExist("CN=127.0.0.1", StoreName.My, StoreLocation.LocalMachine);
            serverCert = GetCertificateIfExist("CN=MyROOTCA", StoreName.Root, StoreLocation.LocalMachine);
            if (clientCert == null || serverCert == null)
            {
                var caCert = GenerateCACertificate("CN=MyROOTCA", ref caPrivateKey);
                addCertToStore(caCert, StoreName.Root, StoreLocation.LocalMachine);

                clientCert = GenerateSelfSignedCertificate("CN=127.0.0.1", "CN=MyROOTCA", caPrivateKey);
                var p12 = clientCert.Export(X509ContentType.Pfx);

                addCertToStore(new X509Certificate2(p12, (string)null, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet), StoreName.My, StoreLocation.LocalMachine);
            }

            if (caller == "client")
                return clientCert;

            return serverCert;
        }

        public static X509Certificate2 GenerateSelfSignedCertificate(string subjectName, string issuerName, AsymmetricKeyParameter issuerPrivKey)
        {
            const int keyStrength = 2048;

            // Generating Random Numbers
            CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
            SecureRandom random = new SecureRandom(randomGenerator);

            // The Certificate Generator
            X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();

            // Serial Number
            BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
            certificateGenerator.SetSerialNumber(serialNumber);

            // Signature Algorithm
            //const string signatureAlgorithm = "SHA256WithRSA";
            //certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);

            // Issuer and Subject Name
            X509Name subjectDN = new X509Name(subjectName);
            X509Name issuerDN = new X509Name(issuerName);
            certificateGenerator.SetIssuerDN(issuerDN);
            certificateGenerator.SetSubjectDN(subjectDN);

            // Valid For
            DateTime notBefore = DateTime.UtcNow.Date;
            DateTime notAfter = notBefore.AddYears(2);

            certificateGenerator.SetNotBefore(notBefore);
            certificateGenerator.SetNotAfter(notAfter);

            // Subject Public Key
            AsymmetricCipherKeyPair subjectKeyPair;
            var keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
            var keyPairGenerator = new RsaKeyPairGenerator();
            keyPairGenerator.Init(keyGenerationParameters);
            subjectKeyPair = keyPairGenerator.GenerateKeyPair();

            certificateGenerator.SetPublicKey(subjectKeyPair.Public);

            // Generating the Certificate
            AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;

            ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerKeyPair.Private, random);
            // selfsign certificate
            Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);


            // correcponding private key
            PrivateKeyInfo info = PrivateKeyInfoFactory.CreatePrivateKeyInfo(subjectKeyPair.Private);


            // merge into X509Certificate2
            X509Certificate2 x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());

            Asn1Sequence seq = (Asn1Sequence)Asn1Object.FromByteArray(info.PrivateKeyAlgorithm.GetDerEncoded());
            if (seq.Count != 9)
            {
                //throw new PemException("malformed sequence in RSA private key");
            }

            RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(info.ParsePrivateKey());
            RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
                rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);

            try
            {
                var rsap = DotNetUtilities.ToRSA(rsaparams);
                x509 = x509.CopyWithPrivateKey(rsap);

                //x509.PrivateKey = ToDotNetKey(rsaparams);
            }
            catch(Exception ex)
            {
                ;
            }
            //x509.PrivateKey = DotNetUtilities.ToRSA(rsaparams);
            return x509;

        }

        public static AsymmetricAlgorithm ToDotNetKey(RsaPrivateCrtKeyParameters privateKey)
        {
            var cspParams = new CspParameters
            {
                KeyContainerName = Guid.NewGuid().ToString(),
                KeyNumber = (int)KeyNumber.Exchange,
                Flags = CspProviderFlags.UseMachineKeyStore
            };

            var rsaProvider = new RSACryptoServiceProvider(cspParams);
            var parameters = new RSAParameters
            {
                Modulus = privateKey.Modulus.ToByteArrayUnsigned(),
                P = privateKey.P.ToByteArrayUnsigned(),
                Q = privateKey.Q.ToByteArrayUnsigned(),
                DP = privateKey.DP.ToByteArrayUnsigned(),
                DQ = privateKey.DQ.ToByteArrayUnsigned(),
                InverseQ = privateKey.QInv.ToByteArrayUnsigned(),
                D = privateKey.Exponent.ToByteArrayUnsigned(),
                Exponent = privateKey.PublicExponent.ToByteArrayUnsigned()
            };

            rsaProvider.ImportParameters(parameters);
            return rsaProvider;
        }

        public static X509Certificate2 GenerateCACertificate(string subjectName, ref AsymmetricKeyParameter CaPrivateKey)
        {
            const int keyStrength = 2048;

            // Generating Random Numbers
            CryptoApiRandomGenerator randomGenerator = new CryptoApiRandomGenerator();
            SecureRandom random = new SecureRandom(randomGenerator);

            // The Certificate Generator
            X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();

            // Serial Number
            BigInteger serialNumber = BigIntegers.CreateRandomInRange(BigInteger.One, BigInteger.ValueOf(Int64.MaxValue), random);
            certificateGenerator.SetSerialNumber(serialNumber);

            // Signature Algorithm
            //const string signatureAlgorithm = "SHA256WithRSA";
            //certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);

            // Issuer and Subject Name
            X509Name subjectDN = new X509Name(subjectName);
            X509Name issuerDN = subjectDN;
            certificateGenerator.SetIssuerDN(issuerDN);
            certificateGenerator.SetSubjectDN(subjectDN);

            // Valid For
            DateTime notBefore = DateTime.UtcNow.Date;
            DateTime notAfter = notBefore.AddYears(2);

            certificateGenerator.SetNotBefore(notBefore);
            certificateGenerator.SetNotAfter(notAfter);

            // Subject Public Key
            AsymmetricCipherKeyPair subjectKeyPair;
            KeyGenerationParameters keyGenerationParameters = new KeyGenerationParameters(random, keyStrength);
            RsaKeyPairGenerator keyPairGenerator = new RsaKeyPairGenerator();
            keyPairGenerator.Init(keyGenerationParameters);
            subjectKeyPair = keyPairGenerator.GenerateKeyPair();

            certificateGenerator.SetPublicKey(subjectKeyPair.Public);

            // Generating the Certificate
            AsymmetricCipherKeyPair issuerKeyPair = subjectKeyPair;

            // selfsign certificate
            //Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);

            ISignatureFactory signatureFactory = new Asn1SignatureFactory("SHA512WITHRSA", issuerKeyPair.Private, random);
            // selfsign certificate
            Org.BouncyCastle.X509.X509Certificate certificate = certificateGenerator.Generate(signatureFactory);


            X509Certificate2 x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(certificate.GetEncoded());

            CaPrivateKey = issuerKeyPair.Private;

            return x509;
            //return issuerKeyPair.Private;

        }

        public static bool addCertToStore(System.Security.Cryptography.X509Certificates.X509Certificate2 cert, System.Security.Cryptography.X509Certificates.StoreName st, System.Security.Cryptography.X509Certificates.StoreLocation sl)
        {
            bool bRet = false;

            try
            {
                X509Store store = new X509Store(st, sl);
                store.Open(OpenFlags.ReadWrite);
                store.Add(cert);

                store.Close();
            }
            catch
            {

            }

            return bRet;
        }

        protected internal static X509Certificate2 GetCertificateIfExist(string subjectName, StoreName store, StoreLocation location)
        {
            using (var certStore = new X509Store(store, location))
            {
                certStore.Open(OpenFlags.ReadOnly);
                var certCollection = certStore.Certificates.Find(
                                           X509FindType.FindBySubjectDistinguishedName, subjectName, false);
                X509Certificate2 certificate = null;
                if (certCollection.Count > 0)
                {
                    certificate = certCollection[0];
                }
                return certificate;
            }
        }

    }
}

或2：

    services.AddDataProtection()
//.PersistKeysToFileSystem(new DirectoryInfo(@"c:\temp-keys"))
.ProtectKeysWithCertificate(
        new X509Certificate2(Path.Combine(Directory.GetCurrentDirectory(), "clientCert.pfx"), "Password")
        )
.UnprotectKeysWithAnyCertificate(
        new X509Certificate2(Path.Combine(Directory.GetCurrentDirectory(), "clientCert.pfx"), "Password")
        );

— 哈米特·伊尔德里姆
source

0

在“证书面板”中，右键单击某些证书->所有任务->管理私钥->添加具有完全控制权的IIS_IUSRS用户

就我而言，我不需要安装“允许导出私钥”选项的证书，就如其他答案中所述。

— 费尔南多·梅内塞斯·戈麦斯
source