我一直在尝试将OpenSSL从0.9.8升级到1.0.1版本。创建一个之前运行良好的X509Certificate2证书现在失败了
应用程序错误日志 : System.Security.Cryptography.CryptographicException:拒绝访问。 在System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) 在System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte [] rawData,IntPtr密码,UInt32 dwFlags,布尔persistKeySet,SafeCertContextHandle& pCertCtx) 在System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte [] rawData,Object password,X509KeyStorageFlags keyStorageFlags) 在System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte [] rawData,String password,X509KeyStorageFlags keyStorageFlags)
我已经尝试了所有可能的解决方案,我可以在论坛中找到但是徒劳无功。
代码段:
public static X509Certificate2 _signerCert = null;
byte[] pfxData; string pfxPassword;
GetRootCertificate(out pfxData, out pfxPassword);
lock (_lockObjectSigner) {
_signerCert = new X509Certificate2(pfxData, pfxPassword);
}
安全事件日志 :
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5061</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2016-05-31T05:48:49.268222200Z" />
<EventRecordID>33990</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="4960" />
<Channel>Security</Channel>
<Computer>EMM-DMZ-SUS2.EMMDMZ.com</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-20</Data>
<Data Name="SubjectUserName">EMM-DMZ-SUS2$</Data>
<Data Name="SubjectDomainName">EMMDMZ</Data>
<Data Name="SubjectLogonId">0x3e4</Data>
<Data Name="ProviderName">Microsoft Software Key Storage Provider</Data>
<Data Name="AlgorithmName">RSA</Data>
<Data Name="KeyName">{A7C2BCEE-EC9F-49EA-92A6-666C0F2987DD}</Data>
<Data Name="KeyType">%%2499</Data>
<Data Name="Operation">%%2481</Data>
<Data Name="ReturnCode">0x80090010</Data>
</EventData>
</Event>
尝试了选项:
public static X509Certificate2 _signerCert = null;
byte[] pfxData; string pfxPassword;
GetRootCertificate(out pfxData, out pfxPassword);
lock (_lockObjectSigner) {
_signerCert = new X509Certificate2(pfxData, pfxPassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet);
}
启用IIS应用程序池配置(应用程序池&gt;高级设置)以加载应用程序池标识用户的用户配置文件。
将AppPool的身份更改为NetworkService / LocalService?
在Microsoft密钥文件夹“C:\ programdata \ Microsoft \ Crypto”上手动添加管理员权限。
请告诉我是否还有其他选择值得一试?
此致 Narik