问题
My C# .net application is using a HTTPS webservice. As the cerificate now is about to expire, I'm trying to update it with a new one that I have been given (a .jks file that I've converted to .p12 using javasdks' keytool). I thought this would be easy, as I know how to do it, but it just won't cooperate.
What I've done so far:
- Imported certificate to CURRENT_USER\Personal
- Imported certificate to LOCAL_MACHINE\Personal
- Given the correct user (apppoolidentity) access to private key of certificate via the winhttpcertcfg tool.. Below is a list of rights for the certificate.
using findprivatekey tool, I've also located the actual key file, and given the apppoolidentity access to it. (In desperation).
C:\Program Files (x86)\Windows Resource Kits\Tools>winhttpcertcfg -l -c LOCAL_MACHINE\My -s "9000 - Blabla" Microsoft (R) WinHTTP Certificate Configuration Tool Copyright (C) Microsoft Corporation 2001.
Matching certificate: CN=9000 - Blabla C=NO L="c/o Blabla AS, Blablaaddress" OU=957839827 OID.1.2.240.111111.1.9.8=12345678 OID.1.2.240.111111.1.9.2=Blabla Test O=BlaBla AS OU=MULTI-ALLOWED
Additional accounts and groups with access to the private key include: BUILTIN\Administrators NT AUTHORITY\SYSTEM IIS APPPOOL\ASP.NET v4.0 BUILTIN\Users NT AUTHORITY\NETWORK SERVICE DIGITROLLDMZ\IIS_WPG
The url I'm accessing looks something like this:
https://test.blabla.com/blabla-5.0/services/Blabla?wsdl
... If I access it from the servers web-browser, I get to select certificate, I select the new one, and it says it's okay, green and SSL in order and all, but my application code, that looks like this:
public static blabla.service.NettforhandlerService getNettforhandlerService(string applicationPath)
{
blabla.service.NettforhandlerService service = new blabla.service.NettforhandlerService();
if (System.Configuration.ConfigurationManager.AppSettings["CertificateSerialNumber"] != null && System.Configuration.ConfigurationManager.AppSettings["CertificateSerialNumber"].Length > 0)
{
string serviceurl = service.Url;
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindBySerialNumber, System.Configuration.ConfigurationManager.AppSettings["CertificateSerialNumber"], true);
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
ServicePointManager.CertificatePolicy = new TrustHBSCertificatePolicy();
service.ClientCertificates.Add(col[0]);
}
return service;
}
Only outputs this error:
The request was aborted: Could not create SSL/TLS secure channel.
... I've added some trace/debug info to web.config, and what I found out from the error was this:
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: 30 82 01 0a 02 82 01 01 00 8e a6 72 c2 e1 67 16 e2 be be c3 30 89 8d bb 57 0b 48 f8 1d 09 b1 e3 26 42 c9 45 9e 02 b2 43 49 16 81 94 1b 18 d6 6d ef ....
System.Net Information: 0 : [15624] SecureChannel#32061089 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [15624] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Error: 0 : [15624] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net Information: 0 : [15624] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Error: 0 : [15624] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net.Sockets Verbose: 0 : [15624] Socket#38259205::Dispose()
System.Net Error: 0 : [15624] Exception in the HttpWebRequest#54558071:: - The request was aborted: Could not create SSL/TLS secure channel.
System.Net Error: 0 : [15624] Exception in the HttpWebRequest#54558071::GetResponse - The request was aborted: Could not create SSL/TLS secure channel.
System.Net Verbose: 0 : [15624]
I know this looks like the correct user/identity hasn't been given the access to the certificate (from winhttpcertcfg), but I'm very sure that it has, that's why I'm at loss here,
hoping that someone with some serious https-certificate/web-service -skills might help me out here :-)
Thanks.
Regards, Jørgen E.
edit1: changed title to something more precise. edit2: New information:
In EventViewer/Windows Logs/Security there is an event "Audit Failure" connected to this:
Cryptographic operation.
Subject:
Security ID: IIS APPPOOL\ASP.NET v4.0
Account Name: ASP.NET v4.0
Account Domain: IIS APPPOOL
Logon ID: 0x32498
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: Not Available.
Key Name: {00E1A3F5-7400-41CA-8290-02983473AEAF}
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090010
回答1:
Not much can be extracted from the log, but...
Google-fu yields the following result: 0x80090010 is most likely a certificate access error.
From that, with high level of probability I conclude you need to set permissions for your SSL certificate private key - so that IIS can access it. See: http://www.dotnetnoob.com/2011/01/how-to-give-iis-access-to-private-keys.html
Similar question with another option: The request was aborted: Could not create SSL/TLS secure channel
回答2:
Problem solved, Seems a Intermediate Certificate was missing, Imported it into Intermediate Certificates in MMC, and all was good :-)
回答3:
Late reply, but i got stuck in the same problem and the following change fixed the issue for me. Try changing the line ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3; with the one below - ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
P.S - I am using .Net framework 3.5 in my application.
来源:https://stackoverflow.com/questions/13413214/ssl-webservice-could-not-create-ssl-tls-secure-channel