问题描述

我正在尝试获取需要服务器端证书和私钥的外部REST Web服务（我都是从发布者那里以 *。pem 该服务的文件）。

I'm trying to get this external REST webservice that requires both a server-side certificate and a private key (both of which I got from the publisher as *.pem files of that service).

为了进行测试，我用Google搜索了一下，找到了一种将这两部分组合成 *。pfx 的方法code>文件-并从磁盘上的该二进制文件加载 X509Certificate2 实例正常。

For my testing, I googled and found a way to combine these two pieces into a *.pfx file - and loading a X509Certificate2 instance from that binary file on disk works just fine.

现在，我试图将其放入生产的Windows Server 2008的证书存储中。

Now I was trying to put this into the Cert Store on my production Windows Server 2008.

我可以获得 X509Certificate2 从我的C＃代码中的证书存储中-没问题：

I can get the X509Certificate2 from the cert store in my C# code - no problem:

X509Store store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);

X509Certificate2Collection certs = store.Certificates.Find(X509FindType.FindBySerialNumber, "serial-number-here", false);

if (certs.Count > 0)
{
    X509Certificate2 cert = certs[0];

    // set the certificate on the RestClient to call my REST service
    _restClient.ClientCertificates.Add(cert);
}

store.Close();

但是，当我这样做时，Web服务却对我bar之以鼻，声称它需要一个 SSL证书 ...

But when I do this, then the web service barfs at me, claiming it needs a "SSL certificate"...

另外：当我从磁盘加载 X509Certificate2 时，从该 *。pfx 文件，我必须提供密码-从证书存储区加载时，这里不需要提供任何密码....奇怪....

Also: when I was loading the X509Certificate2 from disk, from that *.pfx file, I had to provide a password - nothing needs to be provided here, when loading from the cert store.... odd....

看来，即使我导入了同时包含服务器端证书和我们的私钥的 *。pfx 从证书存储中...

It seems that even though I imported the *.pfx which contains both the server-side certificate and our private key, somehow I cannot get both back from the cert store...

有什么办法可以使它工作吗？我是否需要在第二步中从证书存储中加载私钥？怎么样？

Any idea how I can get this to work? Do I need to load the private key from the cert store in a second step? How?

这些证书对我来说仍然仍然是像伏都教一样的大谜题……..有人可以启发我吗？

These certificates still remain mainly a big voodoo-like mystery to me ..... can anyone enlighten me?

推荐答案

首先要检查的是证书存储区是否确实具有私钥。

The first thing to check is to see whether the certificate store does have the private key.

1. 打开证书管理单元，找到您的证书，双击并确保它具有红色突出显示的部分，如下图所示：
   

下一步，如果私钥在商店中，则也许访问证书的帐户没有私钥权限。有两种检查方法：

Next, if the private key is in the store then maybe the account accessing the certificate does not have permissions on the private key. There are two ways to check this:

1. 在证书管理单元中，右键单击证书>所有任务>管理私钥。 （您应该可以在此处检查和编辑权限）


2. 在您的代码中，您可以访问PrivateKey属性（即，执行var privateKey = cert.PrivateKey并查看是否将其取回）。