我的 C# .net 应用程序正在使用 HTTPS 网络服务。由于证书现在即将过期,我正在尝试用我得到的新证书更新它(一个 .jks 文件,我使用 javasdks 的 keytool 将其转换为 .p12)。我认为这很容易,因为我知道该怎么做,但它就是不合作。
到目前为止我做了什么:
- 将证书导入到 CURRENT_USER\Personal
- 导入证书到 LOCAL_MACHINE\Personal
- 给定正确的用户 (apppoolidentity) 通过 winhttpcertcfg 工具访问证书的私钥。以下是权限列表 用于证书。
使用 findprivatekey 工具,我还找到了实际的 key 文件,并授予 apppoolidentity 访问权限。 (绝望中)。
C:\Program Files (x86)\Windows Resource Kits\Tools>winhttpcertcfg -l -c LOCAL_MACHINE\My -s "9000 - Blabla" Microsoft (R) WinHTTP 证书配置工具 版权所有 (C) Microsoft Corporation 2001。
匹配证书: CN=9000 - 布拉布拉 C=NO L="c/o Blabla AS, Blablaaddress" 欧=957839827 OID.1.2.240.111111.1.9.8=12345678 OID.1.2.240.111111.1.9.2=Blabla 测试 O=BlaBla AS OU=多重允许
可以访问私钥的其他帐户和组包括: 内置\管理员 NT AUTHORITY\SYSTEM IIS APPPOOL\ASP.NET v4.0 内置\用户 NT AUTHORITY\网络服务 DIGITROLLDMZ\IIS_WPG
我正在访问的 url 看起来像这样:
https://test.blabla.com/blabla-5.0/services/Blabla?wsdl
...如果我从服务器的网络浏览器访问它,我会选择证书,我选择新证书,它说没问题,绿色和 SSL 顺序等等,但我的应用程序代码,看起来像这样:
public static blabla.service.NettforhandlerService getNettforhandlerService(string applicationPath)
{
blabla.service.NettforhandlerService service = new blabla.service.NettforhandlerService();
if (System.Configuration.ConfigurationManager.AppSettings["CertificateSerialNumber"] != null && System.Configuration.ConfigurationManager.AppSettings["CertificateSerialNumber"].Length > 0)
{
string serviceurl = service.Url;
X509Store store = new X509Store(StoreName.Root, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2Collection col = store.Certificates.Find(X509FindType.FindBySerialNumber, System.Configuration.ConfigurationManager.AppSettings["CertificateSerialNumber"], true);
ServicePointManager.Expect100Continue = true;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
ServicePointManager.CertificatePolicy = new TrustHBSCertificatePolicy();
service.ClientCertificates.Add(col[0]);
}
return service;
}
只输出这个错误:
The request was aborted: Could not create SSL/TLS secure channel.
...我在 web.config 中添加了一些跟踪/调试信息,我从错误中发现的是:
[Public Key]
Algorithm: RSA
Length: 2048
Key Blob: 30 82 01 0a 02 82 01 01 00 8e a6 72 c2 e1 67 16 e2 be be c3 30 89 8d bb 57 0b 48 f8 1d 09 b1 e3 26 42 c9 45 9e 02 b2 43 49 16 81 94 1b 18 d6 6d ef ....
System.Net Information: 0 : [15624] SecureChannel#32061089 - Certificate is of type X509Certificate2 and contains the private key.
System.Net Information: 0 : [15624] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Error: 0 : [15624] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net Information: 0 : [15624] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Error: 0 : [15624] AcquireCredentialsHandle() failed with error 0X8009030D.
System.Net.Sockets Verbose: 0 : [15624] Socket#38259205::Dispose()
System.Net Error: 0 : [15624] Exception in the HttpWebRequest#54558071:: - The request was aborted: Could not create SSL/TLS secure channel.
System.Net Error: 0 : [15624] Exception in the HttpWebRequest#54558071::GetResponse - The request was aborted: Could not create SSL/TLS secure channel.
System.Net Verbose: 0 : [15624]
我知道这看起来像正确的用户/身份没有被授予对证书的访问权限(来自 winhttpcertcfg),但我非常确定它有,这就是为什么我在这里不知所措,
希望有一些真正的 https 证书/web 服务技能的人可以帮助我 :-)
谢谢。
问候, Jørgen E.
edit1:将标题更改为更准确的名称。 edit2:新信息:
In EventViewer/Windows Logs/Security there is an event "Audit Failure" connected to this:
Cryptographic operation.
Subject:
Security ID: IIS APPPOOL\ASP.NET v4.0
Account Name: ASP.NET v4.0
Account Domain: IIS APPPOOL
Logon ID: 0x32498
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: Not Available.
Key Name: {00E1A3F5-7400-41CA-8290-02983473AEAF}
Key Type: Machine key.
Cryptographic Operation:
Operation: Open Key.
Return Code: 0x80090010
最佳答案
从日志中提取的内容不多,但是...
Google-fu 产生以下结果:0x80090010 很可能是证书访问错误。
据此,我很有可能得出结论,您需要为您的 SSL 证书私钥设置权限 - 以便 IIS 可以访问它。 看: http://www.dotnetnoob.com/2011/01/how-to-give-iis-access-to-private-keys.html
另一个选项的类似问题:The request was aborted: Could not create SSL/TLS secure channel
关于c# - SSL 网络服务 : Could not create SSL/TLS secure channel,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/13413214/