私钥在Windows Server 2008 R2中意外删除

Question

我在开发安装时面临一个奇怪的问题,应该在其中一个步骤中安装证书.

问题与在Windows Server 2008 R2上为帐户(例如IIS_IUSRS)授予证书的私钥访问权限有关.私钥存储在位置C:\ Users\All Users\Microsoft\Crypto\RSA\MachineKeys中.

自定义C#安装项目导入证书,并在安装过程中为证书的私钥提供访问权限.一段时间(2-3秒)后,私钥文件将自动从MachineKeys文件夹中删除.因此,安装的Web应用程序无法访问特定证书并显示以下错误消息:

"System.Security.Cryptography.CryptographicException:Keyset不存在".此错误仅在Windows Server 2008 R2上发生,而对于Windows Server 2003,一切正常.

我的问题是,为什么私钥被删除以及哪个进程会这样做？

谢谢

更新17/05/2012

我还没有找到所描述问题的解决方案,并且我在其他论坛上没有发布任何回复(forums.asp.net,social.msdn.microsoft.com).那么,任何人都可以建议任何其他资源或建议,以进一步解决此问题吗？

再次感谢

Answer 1

这也发生在我身上 - 我的安装脚本会添加证书并授予对PK文件的访问权限,并且应用程序可以正常工作.然后,在我关闭PowerShell编辑器后,我重新启动了应用程序,但由于找不到密钥集,它失败了.

导入证书时添加PersistKeySet标志可解决问题.以下是使用持久性添加证书和私钥的PowerShell代码:

param(
    [string]$certStore = "LocalMachine\TrustedPeople",
    [string]$filename = "sp.pfx",
    [string]$password = "password",
    [string]$username = "$Env:COMPUTERNAME\WebSiteUser"
)

function getKeyFilePath($cert) {
    return "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys\" + $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
}

$certFromFile = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filename, $password)
$certFromStore = Get-ChildItem "Cert:\$certStore" | Where-Object {$_.Thumbprint -eq $certFromFile.Thumbprint}
$certExistsInStore = $certFromStore.Count -gt 0
$keyExists = $certExistsInStore -and ($certFromStore.PrivateKey -ne $null) -and (Test-Path(getKeyFilePath($certFromStore)))

if ((!$certExistsInStore) -or (!$keyExists)) {

    $keyFlags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet 
    $keyFlags = $keyFlags -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet
    $certFromFile.Import($filename, $password, $keyFlags)

    $store = Get-Item "Cert:\$certStore"
    $store.Open("ReadWrite")

    if ($certExistsInStore) {
        #Cert is in the store, but we have no persisted private key
        #Remove it so we can add the one we just imported with the key file
        $store.Remove($certFromStore)
    }

    $store.Add($certFromFile)
    $store.Close()

    $certFromStore = $certFromFile
    "Installed x509 certificate"
}

$pkFile = Get-Item(getKeyFilePath($certFromStore))
$pkAcl = $pkFile.GetAccessControl("Access")
$readPermission = $username,"Read","Allow"
$readAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $readPermission
$pkAcl.AddAccessRule($readAccessRule)
Set-Acl $pkFile.FullName $pkAcl
"Granted read permission on private key to web user"