Fatal编程技术网
  • csharp/
  • C# x509证书可能没有私钥的访问权限

C# x509证书可能没有私钥的访问权限

c#

C# x509证书可能没有私钥的访问权限,c#,ssl-certificate,x509certificate,C#,Ssl Certificate,X509certificate,我正试图通过我的应用程序为用户导入证书。这适用于服务器2012和windows 10,但在较旧的操作系统(如windows 7和server 2008 r2)上,导入似乎无法正常工作。部分工作由一个助手类完成,该类复制证书并分配权限 string path = Path.Combine(Path.GetDirectoryName(certLocation), "test_cert.pfx"); //Create the certificate and import it _cert = new

我正试图通过我的应用程序为用户导入证书。这适用于服务器2012和windows 10,但在较旧的操作系统(如windows 7和server 2008 r2)上,导入似乎无法正常工作。部分工作由一个助手类完成,该类复制证书并分配权限

string path = Path.Combine(Path.GetDirectoryName(certLocation), "test_cert.pfx");
//Create the certificate and import it
_cert = new X509Certificate2();
_cert.Import(path, password, X509KeyStorageFlags.MachineKeySet);
X509CertHelper.CopyCertToStore(_cert, StoreName.My, StoreLocation.LocalMachine);
X509CertHelper.AddAccessToCertificate(_cert, Environment.UserName);

private static void AddAccessToCertificate(X509Certificate2 cert, string user)
{
        RSACryptoServiceProvider rsa = cert.PrivateKey as RSACryptoServiceProvider;

        if (rsa != null)
        {
            string keyfilepath =
                FindKeyLocation(rsa.CspKeyContainerInfo.UniqueKeyContainerName);

            FileInfo file = new FileInfo(keyfilepath + "\\" +
                rsa.CspKeyContainerInfo.UniqueKeyContainerName);

            FileSecurity fs = file.GetAccessControl();

            NTAccount account = new NTAccount(user);
            fs.AddAccessRule(new FileSystemAccessRule(account,
            FileSystemRights.FullControl, AccessControlType.Allow));

            file.SetAccessControl(fs);
        }
}
我添加了一个权限调用来设置看起来正常工作的权限。但是,当查看证书管理器并从上下文菜单中选择“管理私钥”时,会得到两个不同的结果。在较新的操作系统上,“权限”对话框会根据代码正确显示新添加的权限,但在较旧的操作系统上,我只会收到一个神秘的错误,当我启动服务时,我会收到以下错误

证书'CN=test'可能会 没有能够交换密钥的私钥,或者进程可能没有私钥的访问权限。

对于旧操作系统可能出现的错误或额外步骤,您有什么想法吗?我最近在这台机器(Server2008R2)上运行了更新,因为我认为这可能是问题所在。我也需要在代码中这样做。下面的代码设置权限

string path = Path.Combine(Path.GetDirectoryName(certLocation), "test_cert.pfx");
//Create the certificate and import it
_cert = new X509Certificate2();
_cert.Import(path, password, X509KeyStorageFlags.MachineKeySet);
X509CertHelper.CopyCertToStore(_cert, StoreName.My, StoreLocation.LocalMachine);
X509CertHelper.AddAccessToCertificate(_cert, Environment.UserName);

private static void AddAccessToCertificate(X509Certificate2 cert, string user)
{
        RSACryptoServiceProvider rsa = cert.PrivateKey as RSACryptoServiceProvider;

        if (rsa != null)
        {
            string keyfilepath =
                FindKeyLocation(rsa.CspKeyContainerInfo.UniqueKeyContainerName);

            FileInfo file = new FileInfo(keyfilepath + "\\" +
                rsa.CspKeyContainerInfo.UniqueKeyContainerName);

            FileSecurity fs = file.GetAccessControl();

            NTAccount account = new NTAccount(user);
            fs.AddAccessRule(new FileSystemAccessRule(account,
            FileSystemRights.FullControl, AccessControlType.Allow));

            file.SetAccessControl(fs);
        }
}
您必须使用
CurrentUser
store来存储用户证书。无需在计算机存储中安装用户证书。证书可由服务使用或在控制台模式下运行。为什么使用机器商店有问题?