Azure Web Application new X509Certificate2() causing System.Security.Cryptography.CryptographicException: Access denied

ⅰ亾dé卋堺 提交于 2019-12-23 20:03:22

问题


Right now I am uploading a .pfx file, taking in a password and calling

var cert = new X509Certificate2(fileData, password);

And storing things like the thumbprint, etc. I do not need to actually store this on the server, just validate that it is a valid cert and store some information. On local this works (obviously I have better access to my key store) but when I put it up in azure I get the error:

System.Security.Cryptography.CryptographicException: Access denied.

Is there any way to get this information sidestepping this or to use this method without getting an access denied? I am not very good with certs, so let me know if you need more information. Thank you.


回答1:


When opening a PFX on Windows any private keys get written to disk. They will get deleted later (unless you specify PersistKeySet), but they do still have to be written (ish).

Where are they written?

  • If you specify X509KeyStorageFlags.MachineKeySet: In the machine keystore, you need to be an administrator.
  • If you specify X509KeyStorageFlags.UserKeySet: In the user keystore, your user profile probably needs to exist/load.
  • If you don't specify either:
    • If the PFX itself has encoded that the key belongs in the machine key set, then the machine keystore (admin required).
    • Otherwise the user keystore (profile probably required).

Given "Access Denied" I'd guess that you hit the case where the PFX itself specified the machine keystore, to resolve this you'd change your call to

new X509Certificate2(fileData, password, X509KeyStorageFlags.UserKeySet)

and everything should work. If you specify UserKeySet and still get an error, that might a profile-loading problem.

There is an option to load a PFX without writing the private keys to disk, but it's not available in .NET Framework (though it was recently added to .NET Core). If you really need it you could look into p/invoking PFXImportCertStore with the PKCS12_NO_PERSIST_KEY flag, then pass the resultant HCERTSTORE value to X509Store.ctor(IntPtr) and read your certificate(s) via the X509Store.Certificates property. Note, though, that most of .NET Framework won't understand that these cert objects have associated private keys, so they'll likely only behave as public-only certificate objects.



来源:https://stackoverflow.com/questions/40536601/azure-web-application-new-x509certificate2-causing-system-security-cryptograph

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!