我们的服务器/服务证书已过期,我们发布了新证书。在证书存储区中替换它(作为SSL服务器证书而没有问题),为AppPoolIdentity设置访问权限,在该访问权限下服务运行到它的私钥。 我的服务配置:
<system.serviceModel>
<extensions>
<behaviorExtensions>
<add name="A2AValidation" type="SPOZUS_T2S_A2A.A2AValidation+CustomBehaviorSection, SPOZUS_T2S_A2A, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
</behaviorExtensions>
</extensions>
<protocolMapping>
<add scheme="http" binding="wsHttpBinding" />
<add scheme="https" binding="wsHttpBinding" />
</protocolMapping>
<bindings>
<wsHttpBinding>
<binding name="MessageSecurityBinding">
<security mode="Message">
<message clientCredentialType="Certificate" establishSecurityContext="true" negotiateServiceCredential="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ClientSecBehavior" name="SPOZUS_T2S_A2A.Service">
<endpoint address="" behaviorConfiguration="A2AValidationBehavior" bindingNamespace="https://DRW2012IIS.XXX.XXXX.XX:10002/A2A" binding="wsHttpBinding" bindingConfiguration="MessageSecurityBinding" name="A2AmessageEndpoint" contract="SPOZUS_T2S_A2A.IService" />
<endpoint address="mex" binding="mexHttpsBinding" name="A2AMessageEndpointMex" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="http://DRW2012IIS.XXX.XXXX.XX:10002/A2A/" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="A2AValidationBehavior">
<A2AValidation />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="ClientSecBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" trustedStoreLocation="LocalMachine" mapClientCertificateToWindowsAccount="true" />
</clientCertificate>
<serviceCertificate findValue="DRW2012IIS.XXX.XXXX.XX" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
当我从浏览器访问该服务时,它会抛出错误:
[CryptographicException: Invalid provider type specified.
]
System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) +5273481
System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) +94
System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() +136
System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) +203
System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() +240
System.ServiceModel.Security.SecurityUtils.GetKeyContainerInfo(X509Certificate2 certificate) +42
System.ServiceModel.Security.SecurityUtils.CanKeyDoKeyExchange(X509Certificate2 certificate) +10
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +64
[ArgumentException: It is likely that certificate 'CN=DRW2012IIS.XXX.XXXX.XX, OU=IT, O=XXXXX, L=XXXXX, S=XXXX, C=XX' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.]
System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate) +336
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider() +35
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +64
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement) +59
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoServerX509TokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement) +261
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateTlsnegoSecurityTokenAuthenticator(RecipientServiceModelSecurityTokenRequirement recipientRequirement, Boolean requireClientCertificate, SecurityTokenResolver& sctResolver) +829
System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenAuthenticator(SecurityTokenRequirement tokenRequirement, SecurityTokenResolver& outOfBandTokenResolver) +709
System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout) +208
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +21
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +81
System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout) +221
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +73
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +130
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.SecuritySessionSecurityTokenAuthenticator.OnOpen(TimeSpan timeout) +130
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +21
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.CommunicationObjectSecurityTokenAuthenticator.Open(TimeSpan timeout) +16
System.ServiceModel.Security.SecuritySessionServerSettings.OnOpen(TimeSpan timeout) +842
System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout) +21
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout) +125
System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout) +221
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout) +73
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +130
System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +347
System.ServiceModel.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity) +130
System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity) +738
[ServiceActivationException: The service '/TEST/A2A/Service.svc' cannot be activated due to an exception during compilation. The exception message is: It is likely that certificate 'CN=DRW2012IIS.XXX.XXXX.XX, OU=IT, O=XXXXX, L=XXXXX, S=XXXX, C=XX' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail..]
System.Runtime.AsyncResult.End(IAsyncResult result) +604003
System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +238
System.Web.CallHandlerExecutionStep.OnAsyncHandlerCompletion(IAsyncResult ar) +178
答案 0 :(得分:0)
似乎问题出在证书使用者名称中使用的大写主题名称。我已经用小写域规范重新颁发了证书,现在可以使用了。
答案 1 :(得分:0)
我们也有这个确切的错误消息,花了很长时间来缩小问题范围。我们使用Octopus Deploy来安装我们的PFX证书,Tentacle作为LocalSystem运行。
有一些有趣的发现: