我正在开发的项目包含一个与 WCF Web 服务通信的 MVC 网站,并通过 Windows 身份进行身份验证。我有一个身份委托证书,我正在尝试以编程方式添加该证书。要手动执行此操作,我在 mmc 中打开证书管理单元,将 .pfx 文件导入到 Personal 中并输入密码。然后,我必须单击“管理私钥”并授予 IIS_IUSRS 权限。
为了复制这个过程,我提出了以下控制台应用程序:
class Program
{
static void Main(string[] args)
{
var cert = new X509Certificate2("location.pfx", "password", X509KeyStorageFlags.MachineKeySet);
AddCert(StoreName.My, StoreLocation.LocalMachine, cert);
AddAccessToCertificate(cert, "IIS_IUSRS");
}
private static void AddCert(StoreName storeName, StoreLocation storeLocation, X509Certificate2 cert)
{
X509Store store = new X509Store(storeName, storeLocation);
store.Open(OpenFlags.ReadWrite);
store.Add(cert);
store.Close();
}
private static void AddAccessToCertificate(X509Certificate2 cert, string user)
{
RSACryptoServiceProvider rsa = cert.PrivateKey as RSACryptoServiceProvider;
if (rsa != null)
{
string keyfilepath =
FindKeyLocation(rsa.CspKeyContainerInfo.UniqueKeyContainerName);
FileInfo file = new FileInfo(keyfilepath + "\\" +
rsa.CspKeyContainerInfo.UniqueKeyContainerName);
FileSecurity fs = file.GetAccessControl();
NTAccount account = new NTAccount(user);
fs.AddAccessRule(new FileSystemAccessRule(account,
FileSystemRights.FullControl, AccessControlType.Allow));
file.SetAccessControl(fs);
}
}
private static string FindKeyLocation(string keyFileName)
{
string text1 =
Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
string text2 = text1 + @"\Microsoft\Crypto\RSA\MachineKeys";
string[] textArray1 = Directory.GetFiles(text2, keyFileName);
if (textArray1.Length > 0)
{
return text2;
}
string text3 =
Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
string text4 = text3 + @"\Microsoft\Crypto\RSA\";
textArray1 = Directory.GetDirectories(text4);
if (textArray1.Length > 0)
{
foreach (string text5 in textArray1)
{
textArray1 = Directory.GetFiles(text5, keyFileName);
if (textArray1.Length != 0)
{
return text5;
}
}
}
return "Private key exists but is not accessible";
}
}
不幸的是这给出了错误:
未指定安全令牌发行者的地址。必须在目标绑定中指定显式发行者地址 'https://service.svc https://service.svc' 或者必须在凭据中配置本地颁发者地址。
我认识到我对这些东西有很大的知识差距,所以我希望得到一些指导!
我的问题是,手动流程和自动流程有什么区别?
这行:
var cert = new X509Certificate2("location.pfx", "password", X509KeyStorageFlags.MachineKeySet);
本来应该
var cert = new X509Certificate2("location.pfx", "password", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
It was X509KeyStorageFlags.PersistKeySet
那是失踪了。
我有一些有关证书的有用信息,请参见此处 http://paulstovell.com/blog/x509certificate2.
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)