c# - .NET Core X509Certificate2 使用(Windows/IIS、Docker、Linux下)-6ren

c# - .NET Core X509Certificate2 使用(Windows/IIS、Docker、Linux下)

转载作者：太空狗更新时间：2023-10-29 21:37:29

我真的很长时间都在尝试在 .NET Core API 中使用证书。

基本上，我需要在 IIS 和 docker 上运行的 .NET Core web api 中使用它们。

我需要使用的证书用于:

Microsoft.AspNetCore.DataProtection

public void ConfigureServices(IServiceCollection services)
{
  services.AddDataProtection()
    .PersistKeysToFileSystem(new DirectoryInfo(dataProtectionKeystorePath))
    .ProtectKeysWithCertificate
    (
      new X509Certificate2(dataProtectionCertificatePath, dataProtectionCertificateSecret)
    );
}

Kestrel Options to set SSL certificate

public static IWebHost BuildWebHost(string[] args) =>
  WebHost.CreateDefaultBuilder(args)
    .UseKestrel
    (
      options =>
        {
          options.Listen(address, port, listenOptions =>
            {
              listenOptions.UseHttps(new X509Certificate2(sslCertificatePath, sslCertifciateSecret));
            }
          );
        }
      )
      // other setup
     ;

IdentityServer4.SigningCredentials

注意:此代码适用于从 VS2017 开始的开发机器，但会在 Windows 2008 R2 IIS 测试服务器上引发这些异常。

services.AddIdentityServer()
  .AddSigningCredential
  (
    new X509Certificate2(tokenCertificatePath, tokenCertificatePassphrase)
  )
  // other setup
  ;

这三个都意味着放置一个证书文件，使用构造函数加载它，传递 secret ，然后我们开始吧。

sarkasm > 祝我快乐，这很容易。 < 萨卡斯姆

所以我创建了一个 certs subdir 来保存证书。添加了 secret 的设置。验证所有值都按预期加载/创建。已验证文件位于预期位置并因此存在。简而言之，例如:

string dataProtectionKeystorePath = System.Path.Combine(Environment.ContentRootPath, "keystore");
string dataProtectionCertificatePath = System.Path.Combine(Environment.ContentRootPath, "certs", "keystore.pfx");
string dataProtectionSecret = Configuration.GetSection("CertificateSecrets").GetValue<string>("keystoreSecret", null);

string tokenCertificatePath = System.Path.Combine(Environment.ContentRootPath, "certs", "token.pfx");
string tokenCertificateSecret = Configuration.GetSection("CertificateSecrets").GetValue<string>("tokenSecret", null);

string sslCertificatePath = System.Path.Combine(Environment.ContentRootPath, "certs", "ssl.pfx");
string sslCertificateSecret = Configuration.GetSection("CertificateSecrets").GetValue<string>("tokenSecret", null);

他们说，让我们玩得开心。所以让我们去部署吧。

我最终得到的是这些异常(exception):

数据保护异常(exception):

info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[58]
      Creating key {39560783-e349-475e-8e3f-748abb8c6c8b} with creation date 2018-11-16 08:01:49Z, activation date 2018-11-16 08:01:49Z, and expiration date 2019-02-14 08:01:49Z.
info: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[39]
      Writing data to file '[intentionally removed for post]'.
fail: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[24]
      An exception occurred while processing the key element '<key id="39560783-e349-475e-8e3f-748abb8c6c8b" version="1" />'.
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
   at Internal.NativeCrypto.CapiHelper.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeProvHandle()
   at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeKeyHandle()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 keySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
   at Internal.Cryptography.Pal.CertificatePal.<>c.<GetRSAPrivateKey>b__61_0(CspParameters csp)
   at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
   at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPrivateKey(X509Certificate2 certificate)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[12]
      Key {39560783-e349-475e-8e3f-748abb8c6c8b} is ineligible to be the default key because its CreateEncryptor method failed.
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
   at Internal.NativeCrypto.CapiHelper.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeProvHandle()
   at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeKeyHandle()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 keySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
   at Internal.Cryptography.Pal.CertificatePal.<>c.<GetRSAPrivateKey>b__61_0(CspParameters csp)
   at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
   at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPrivateKey(X509Certificate2 certificate)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DeferredKey.<>c__DisplayClass1_0.<GetLazyDescriptorDelegate>b__0()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
   at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
   at System.Lazy`1.CreateValue()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key)
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[12]
      Key {39560783-e349-475e-8e3f-748abb8c6c8b} is ineligible to be the default key because its CreateEncryptor method failed.
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Keyset does not exist
   at Internal.NativeCrypto.CapiHelper.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
   at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeProvHandle()
   at System.Security.Cryptography.RSACryptoServiceProvider.get_SafeKeyHandle()
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 keySize, CspParameters parameters, Boolean useDefaultKeySize)
   at System.Security.Cryptography.RSACryptoServiceProvider..ctor(CspParameters parameters)
   at Internal.Cryptography.Pal.CertificatePal.<>c.<GetRSAPrivateKey>b__61_0(CspParameters csp)
   at Internal.Cryptography.Pal.CertificatePal.GetPrivateKey[T](Func`2 createCsp, Func`2 createCng)
   at Internal.Cryptography.Pal.CertificatePal.GetRSAPrivateKey()
   at Internal.Cryptography.Pal.CertificateExtensionsCommon.GetPrivateKey[T](X509Certificate2 certificate, Predicate`1 matchesConstraints)
   at System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPrivateKey(X509Certificate2 certificate)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.GetKeyFromCert(EncryptedKey encryptedKey, KeyInfoX509Data keyInfo)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.EncryptedXmlWithCertificateKeys.DecryptEncryptedKey(EncryptedKey encryptedKey)
   at System.Security.Cryptography.Xml.EncryptedXml.GetDecryptionKey(EncryptedData encryptedData, String symmetricAlgorithmUri)
   at System.Security.Cryptography.Xml.EncryptedXml.DecryptDocument()
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.EncryptedXmlDecryptor.Decrypt(XElement encryptedElement)
   at Microsoft.AspNetCore.DataProtection.XmlEncryption.XmlEncryptionExtensions.DecryptElement(XElement element, IActivator activator)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager.Microsoft.AspNetCore.DataProtection.KeyManagement.Internal.IInternalXmlKeyManager.DeserializeDescriptorFromKeyElement(XElement keyElement)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DeferredKey.<>c__DisplayClass1_0.<GetLazyDescriptorDelegate>b__0()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
--- End of stack trace from previous location where exception was thrown ---
   at System.Lazy`1.CreateValue()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.get_Descriptor()
   at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.CngGcmAuthenticatedEncryptorFactory.CreateEncryptorInstance(IKey key)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyBase.CreateEncryptor()
   at Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver.CanCreateAuthenticatedEncryptor(IKey key)

Identity Server 4 签名凭证的异常(exception)情况

Application startup exception: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: An internal error occurred
   at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
   at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at AuthServer.Startup.ConfigureServices(IServiceCollection services) in [intentionally removed for post]\Startup.cs:line 136
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Hosting.ConventionBasedStartup.ConfigureServices(IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureApplicationServices()
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.Initialize()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.BuildApplication()
crit: Microsoft.AspNetCore.Hosting.Internal.WebHost[6]
      Application startup exception
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: An internal error occurred
   at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
   at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at AuthServer.Startup.ConfigureServices(IServiceCollection services) in [intentionally removed for post]\Startup.cs:line 136
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Hosting.ConventionBasedStartup.ConfigureServices(IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureApplicationServices()
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.Initialize()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.BuildApplication()

SSL证书的异常(exception)

Unhandled Exception: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: An internal error occurred
   at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
   at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
   at AuthServer.Program.<>c.<BuildWebHost>b__1_3(ListenOptions listenOptions) in [intentionally removed for post]\Program.cs:line 58
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerOptions.Listen(IPEndPoint endPoint, Action`1 configure)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServerOptions.Listen(IPAddress address, Int32 port, Action`1 configure)
   at Microsoft.Extensions.Options.ConfigureNamedOptions`1.Configure(String name, TOptions options)
   at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
   at Microsoft.Extensions.Options.OptionsManager`1.<>c__DisplayClass5_0.<Get>b__0()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
--- End of stack trace from previous location where exception was thrown ---
   at System.Lazy`1.CreateValue()
   at Microsoft.Extensions.Options.OptionsCache`1.GetOrAdd(String name, Func`1 createOptions)
   at Microsoft.Extensions.Options.OptionsManager`1.Get(String name)
   at Microsoft.Extensions.Options.OptionsManager`1.get_Value()
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer.CreateServiceContext(IOptions`1 options, ILoggerFactory loggerFactory)
   at Microsoft.AspNetCore.Server.Kestrel.Core.KestrelServer..ctor(IOptions`1 options, ITransportFactory transportFactory, ILoggerFactory loggerFactory)
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitConstructor(ConstructorCallSite constructorCallSite, ServiceProviderEngineScope scope)
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor`2.VisitCallSite(IServiceCallSite callSite, TArgument argument)
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitScoped(ScopedCallSite scopedCallSite, ServiceProviderEngineScope scope)
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitSingleton(SingletonCallSite singletonCallSite, ServiceProviderEngineScope scope)
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor`2.VisitCallSite(IServiceCallSite callSite, TArgument argument)
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.DynamicServiceProviderEngine.<>c__DisplayClass1_0.<RealizeService>b__0(ServiceProviderEngineScope scope)
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngine.GetService(Type serviceType, ServiceProviderEngineScope serviceProviderEngineScope)
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngine.GetService(Type serviceType)
   at Microsoft.Extensions.DependencyInjection.ServiceProvider.GetService(Type serviceType)
   at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
   at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService[T](IServiceProvider provider)
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureServer()
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.BuildApplication()
   at Microsoft.AspNetCore.Hosting.Internal.WebHost.StartAsync(CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token, String shutdownMessage)
   at Microsoft.AspNetCore.Hosting.WebHostExtensions.RunAsync(IWebHost host, CancellationToken token)
   at Microsoft.AspNetCore.Hosting.WebHostExtensions.Run(IWebHost host)
   at MyProject.Program.Main(String[] args) in [intentionally removed for post]\Program.cs:line 47

几个月来一直面对这个证书异常，谷歌搜索并再次面对这个异常，无论我尝试过什么(根据谷歌结果，在 github 上提出的问题等等)，我想到我错过了一些重要的东西。

我尝试使用 StorageFlags，但没有找到一个(组合)工作。

这些项目应该在 Windows (IIS)、docker 和曾经的 linux (ubuntu, debian) 上运行。这就是为什么我们决定将证书放在(跨多个实例安装)子目录中。所以我发现的建议将证书安装到微软证书存储中的帖子将不起作用。怎么能在 docker 和 linux 上呢？

由于我倾向于使用的所有证书都受到影响，因此问题可能是我对如何使用证书有重大误解。

谁能帮我找出我错过的主要观点并最终获得证书运行？我需要配置一些东西吗？如果是什么？

只是一些调查总结:

我确定这些文件存在吗:是的，否则异常(exception)将是

System.Security.Cryptography.CryptographicException: System cannot find specified file.

我确定密码正确吗:是的，否则异常(exception)是

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct.

文件权限:感谢 CheshireCat 提醒我。在 Windows Server 2008 R2 IIS 7.5 上，我检查了用户 DefaultAppPool 的 certs 子目录的文件权限(认为现在是不同的用户单元)。对 certs 子目录的完全访问文件权限已授予用户 DefaultAppPool like shown in this link .

通常 IS4 签名凭据异常发生在应用程序启动时。使用 X509KeyStorageFlags.MachineKeySet 不会在启动时抛出，但会显示登录窗口并在登录后抛出。不会返回任何 token ，但会创建一个 session ，以便用户可以修改 ASP NET 标识帐户设置。

证书过期:证书可以过期。数据保护似乎不会检查过期日期，因此即使证书过期也可以使用。 Identity Server 4 签名凭据仍然可以使用，但如果证书过期，ASP.NET 核心 token 验证将引发未经授权。

问题解决

一年半后，解决方案是:以某种方式损坏(自签名/自创建)证书。

可以使用以下代码检查证书是否有效:

  static void Main(string[] args)
  {
    X509Certificate2 cert = new X509Certificate2(Path.Combine(Directory.GetCurrentDirectory(), "cert.pfx"), "password");
    Console.WriteLine("cert private key: " + cert.PrivateKey);
  }

如果您看到以下输出，则证明证书良好，否则您会收到上述异常。

cert private key: System.Security.Cryptography.RSACng

创建用于开发的证书

SSL证书

使用 dotnet 工具 dev-certs。此调用会打开一个提示，然后将 localhost SSL 证书导入 CurrentUser 证书存储 ( view it with MMC )。无需更改程序中的代码。

dotnet dev-certs https --trust

其他证书

创建了“损坏的”证书 using makecert .我切换到 OpenSSL但也可以是 New-SelfSignedCertificate使用的工具(如果您使用的是 Win 10)。

如果 OpenSSL 安装正确并添加到 PATH 变量，以下批处理文件将创建工作证书(需要用户交互!)。

  openssl genrsa 2048 > private.pem
  openssl req -x509 -days 365 -new -key private.pem -out public.pem
  openssl pkcs12 -export -in public.pem -inkey private.pem -out cert.pfx
  REM openssl pkcs12 -info -in cert.pfx
  certutil -dump cert.pfx
  PAUSE

本地开发设置(Win 7、VS 2017、IIS Express/Kestrel)

正如 Cheshire-Cat(再次非常感谢您)描述的所有部分的代码都按预期在 .NET Core 2.1 下工作。包括数据保护和 Identity Server 4 签名凭据。

在 Windows 2008 R2 上部署到 IIS 7.5

乐趣还在继续。让证书在本地开发机器上工作并将其部署到 IIS 会引发"new"异常。

检查 IIS 上的文件权限(DefaultAppPool 具有完全权限)

证书与在本地机器上工作的证书相同

没有安装使用的证书(不在开发机器上，不在 IIS 机器上)，所以应该采用实际的文件。

日志显示基本良好的设置

  using data protection keystore path C:\inetpub\wwwroot\auth\keystore
  data protection keystore is protected with certificate at path 'C:\inetpub\wwwroot\auth\certs\keystore.pfx'
  loading keystore certificate from file 'C:\inetpub\wwwroot\auth\certs\keystore.pfx'
  loading keystore certificate with passphrase ********


  Application startup exception: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: An internal error occurred
     at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
     at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
     at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
     at [SomeOfMyNamespaces].X509Certificate2Loader.LoadFromFile(String certName, String certPath, String certPassphrase, ILogger logger) in [intentionally-blanked]\X509Certificate2Loader.cs:line 57
     at [SomeOfMyNamespaces].DataProtectionExtensions.AddDataProtection(IServiceCollection services, IConfiguration config, IHostingEnvironment environment, String applicationName, String applicationVersion, ILogger logger) in [intentionally-blanked]\DataProtectionExtensions.cs:line 207
     at [SomeOfMyNamespaces].Startup.ConfigureServices(IServiceCollection services) in [intentionally-blanked]\Startup.cs:line 96
  --- End of stack trace from previous location where exception was thrown ---
     at Microsoft.AspNetCore.Hosting.ConventionBasedStartup.ConfigureServices(IServiceCollection services)
     at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureApplicationServices()
     at Microsoft.AspNetCore.Hosting.Internal.WebHost.Initialize()
  --- End of stack trace from previous location where exception was thrown ---
     at Microsoft.AspNetCore.Hosting.Internal.WebHost.BuildApplication()
  crit: Microsoft.AspNetCore.Hosting.Internal.WebHost[6]
        Application startup exception
  Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: An internal error occurred
     at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
     at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
     at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, String password, X509KeyStorageFlags keyStorageFlags)
     at [SomeOfMyNamespaces].X509Certificate2Loader.LoadFromFile(String certName, String certPath, String certPassphrase, ILogger logger) in [intentionally-blanked]\X509Certificate2Loader.cs:line 57
     at [SomeOfMyNamespaces].DataProtectionExtensions.AddDataProtection(IServiceCollection services, IConfiguration config, IHostingEnvironment environment, String applicationName, String applicationVersion, ILogger logger) in [intentionally-blanked]\DataProtectionExtensions.cs:line 207
     at [SomeOfMyNamespaces].Startup.ConfigureServices(IServiceCollection services) in [intentionally-blanked]\Startup.cs:line 96
  --- End of stack trace from previous location where exception was thrown ---
     at Microsoft.AspNetCore.Hosting.ConventionBasedStartup.ConfigureServices(IServiceCollection services)
     at Microsoft.AspNetCore.Hosting.Internal.WebHost.EnsureApplicationServices()
     at Microsoft.AspNetCore.Hosting.Internal.WebHost.Initialize()
  --- End of stack trace from previous location where exception was thrown ---
     at Microsoft.AspNetCore.Hosting.Internal.WebHost.BuildApplication()

引用的第 57 行是:

  cert = new X509Certificate2(certPath, certPassphrase);

Identity Server 4 签名凭据也会出现相同的异常。

给予另一个 100 的奖励以帮助我在 Windows Server 2008 R2 上的 IIS 上运行它。

IIS 和 docker(以及本地开发)的解决方案:使用这个并且 IIS 和 Docker 设置都不会提示:

cert = new X509Certificate2(certPath, certPassphrase, X509KeyStorageFlags.MachineKeySet);

最佳答案

我在 IS4 项目上运行的实际代码是这样的:

X509Certificate2 certificate = null;

// Load certificate from Certificate Store using the configured Thumbprint
using (X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine))
{
    store.Open(OpenFlags.ReadOnly);
    X509Certificate2Collection certificates = store.Certificates.Find(X509FindType.FindByThumbprint, appConfiguration.CertificateThumbprint, false);

    if (certificates.Count > 0)
        certificate = certificates[0];
}

// Fallback to load certificate from local file
if (certificate == null)
{
    string path = Path.Combine("C:\\Certificates", appConfiguration.CertificateFilename);

    try
    {
        certificate = new X509Certificate2(path, "CertificateSecret123$");
        logger.LogInformation($"Found from file {certificate.Thumbprint}");
    }
    catch (Exception ex)
    {
        logger.LogError(ex, $"Certificate file error {path}");
        certificate = null;
    }
}

if (certificate == null)
    throw new Exception($"Certificate {appConfiguration.CertificateThumbprint} not found.");

builder.AddSigningCredential(certificate);

如果我更改指纹以强制代码从本地文件中查找证书，则会得到预期的结果:

更新 2018/11/19

我更正了代码中的一个错误，因为如果找不到证书文件， X509Certificate2类构造函数抛出异常。所以，其实之前的 if (certificate == null)控制后线 certificate = new X509Certificate2... ，永远不会达到。

使代码工作的步骤是:

创建证书并将其放入目录

检查运行代码的用户对文件夹的目录权限。

如果您在 开发机 , 检查运行 VS 的用户是否有访问文件所在目录的权限。

如果您在 IIS ，查看 AppPool托管您的应用程序及其执行的用户。它需要对证书目录具有权限。

加载证书来自文件 使用示例代码。确保路径的正确性。

加载证书来自商店 使用指纹。要获取证书指纹，您可以:

使用 PowerShell 命令 Get-ChildItem -path cert:\LocalMachine\My指定您在商店中注册证书的正确位置。

通过右键单击 .pfx 文件使用 Windows 资源管理器 -> 打开 -> 在 MMC 控制台中找到您的文件 -> 双击它 -> 详细信息 -> 指纹。 重要提示 :当从预览文本框中复制/粘贴 Thumbprint 值时，Windows 中有一个众所周知的丑陋错误。 在指纹开头添加隐藏字符 粘贴值时。因此，首先将其复制/粘贴到文本编辑器上，然后通过在第一个字符附近移动箭头键来检查它。另见 this .

关于c# - .NET Core X509Certificate2 使用(Windows/IIS、Docker、Linux下)，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/53334142/

文章推荐： c++ - 可变参数模板继承中的类型不匹配

文章推荐： python - 如何用sqlalchemy在子句中写多列

文章推荐： c++ - treap 如何帮助更新这个有序队列？

docker - docker ， docker 没有IPAddress检查
我正在使用以下dockerfile: FROM ubuntu:14.04 MAINTAINER xxx xxx # SSH RUN apt-get update && apt-get install
docker - Docker docker-compose不获取相关的缓存镜像
我运行了docker-compose build celery，(经过数小时的尝试，我的连接不良)成功了。 app Dockerfile的前80％是相同的，但不会重复使用缓存。从我可以浏览的内容来看，
docker - docker 守护进程重新启动后，Docker 注册表中的所有存储库都会被删除 (docker-for-mac)
我可以使用以下命令成功创建 Docker 注册表 v2 服务:docker service create 然后我使用 docker Push 将一些图像推送到该服务。当我通过 curl localh
docker - 无法连接到 docker 的 docker 镜像中的守护进程 docker
我正在尝试使用 gitlab 构建 CI，我从 docker 的 docker 镜像开始，我的前端存储库没有任何问题，但现在使用相同的 gitlab-ci 配置文件，我有此守护程序错误。这是构建的输
docker - 最小化 Docker-in-Docker 容器内的 `docker build` 执行时间
用例: 我们在 Jenkins 中有几个“发布作业”build 和 push 应用程序的 Docker 镜像到 docker registry，更新各种文件中的项目版本，最后将发布标签推送到相应的 G
docker - 我无法使用 Docker 构建我的 docker 文件来创建我的 docker 镜像
当我尝试构建我的 docker 文件时，docker 返回以下错误: [+] Building 0.0s (1/2)
docker - 如何在不使用 docker-in-docker 的情况下在 jenkins 管道中使用 docker
docker-in-docker 的作者在此博客中建议不要将此图像用于 CI 目的: jpetazzo/Using Docker-in-Docker for your CI or testing en
docker - 在 Docker 容器中运行 Docker : Cannot connect to the Docker daemon
我创建了一个 Dockerfile 来在 Docker 中运行 Docker: FROM ubuntu:16.04 RUN apt-get update && \ apt-get in
docker - 如何在 Docker 命令行的 Docker 注册表中找到具有特定标记的 Docker 镜像？
我尝试为 Docker 镜像定位一个特定标签。我怎样才能在命令行上做到这一点？我想避免下载所有图像，然后删除不需要的图像。在 Ubuntu 官方版本中，https://registry.hub.do
docker - docker 内的 docker ，发布HTTP错误
我正在尝试在docker中运行docker。唯一的目的是实验性的，我绝不尝试实现任何功能，我只想检查docker从另一个docker运行时的性能。我通过Mac上的boot2docker启动docke
docker - Docker:docker-compose.yml中用于自动重新部署新镜像的选项
docker-compose.yml version: "3" services: daggr: image: "docker.pvt.com/test/daggr:stable"
docker - 在 Docker 容器内访问 Docker
我有一个非常具体的开发环境用例。在一些代码中，我启动了一个容器来抓取页面并检索在容器中运行的服务(Gitlab)的 token 。现在，我希望 Dockerize 运行它的代码。具体来说，类似: o
docker - docker-compose文件vs docker bundle
之前已经问过这个问题，但我不确定当时是否可以使用docker-compose文件完成docker堆栈部署。由于最新版本支持使用compose将服务部署到堆栈，因此，我无法理解dab文件的值。我检查
docker - docker 池和 docker 注册表有什么区别？
我在一次采访中被问到这个问题，但无法回答。也没有找到任何相关信息。最佳答案正如 Docker 文档中所述，Docker 注册表是: [...] a hosted service containin
docker - docker :如何将 docker 中的所有png文件复制到主机？
有没有一种方法可以将具有给定扩展名的所有文件复制到Docker中的主机？就像是 docker cp container_name:path/to/file/in/docker/*.png path/o
docker - docker 日志级别会影响日志记录驱动程序还是仅影响 docker 守护程序的日志？
我的日志驱动程序设置为journald。使用日志记录驱动程序时，daemon.json文件中的日志级别配置会影响日志吗？使用docker logs 时仅会影响容器日志？例如，docker和journ
docker - docker 服务如何管理从单独的 docker 容器调用实例？
我最近开始使用Docker + Celery。我还共享了full sample codes for this example on github，以下是其中的一些代码段，以帮助解释我的观点。就上下文
docker - docker :无法提交构建的 docker 镜像
运行docker build .命令后，尝试提交构建的镜像，但收到以下错误 Step 12 : CMD activator run ---> Using cache ---> efc82ff1ca
docker - Docker + docker-组成+无法启动服务
我们有docker-compose.yml，其中包含Kafka，zookeeper和schema registry的配置当我们启动docker compose时，出现以下错误 docker-comp
docker - docker 基本图像存储库ouside docker 中心？
我是Docker的新手。是否可以在Docker Hub外部建立Docker基本镜像存储库？假设将它们存储在您的云中，而不是拥有DH帐户？谢谢。最佳答案您可以根据需要托管自己的注册表。可以在Depl

太空狗

个人简介

我是一名优秀的程序员,十分优秀！

作者热门文章

滴滴打车优惠券免费领取

全站热门文章

首页

博学

6Ren·AI

商城

c# - .NET Core X509Certificate2 使用(Windows/IIS、Docker、Linux下)