Upon installation of a client side certificate, I am getting the exception "Object contains only the public half of a key pair. A private key must also be provided". My application is a VC#.NET application running over an ASP.NET platform. The application also uses WSE 2.0 to import certificates into making SOAP requests.
在安装客户端证书时,我得到异常“对象仅包含密钥对的公钥”。还必须提供私钥。我的应用程序是一个VC#。NET应用程序运行在ASP之上。网络平台。该应用程序还使用WSE 2.0将证书导入到SOAP请求中。
Upon research, I've found that this exception is of type System.Security.Cryptography.CryptographicException.
经过研究,我发现这个异常是类型System.Security.Cryptography.CryptographicException。
I am pretty positive all my WSE settings are configured correctly, since I was able to find a similar certificate by subject-distinguished-name. Any ideas will be greatly appreciated.
我非常肯定所有的WSE设置都是正确配置的,因为我可以通过主题区分名称找到类似的证书。如有任何意见,我们将不胜感激。
2 个解决方案
#1
12
I was recently having the same problem. I found one explanation here that worked for me. Specifically, the permissions for the private key. The full info is copied below.
我最近遇到了同样的问题。我在这里找到了一个对我有用的解释。具体来说,私有密匙的权限。完整的信息如下所示。
There are a couple things that I would look at first:
我首先要讲几点:
- Do you have a private key for this certificate?
- 你有这个证书的私钥吗?
- Have you given permission for youf application to access the private key?
- 您是否已经为您的应用程序提供了访问私钥的权限?
You can establish whether you have a private key by viewing the certificate through the Windows Certificate Store. To get to this, follow these steps:
您可以通过Windows证书存储区查看证书来确定是否拥有私有密钥。为了达到这个目的,请遵循以下步骤:
- From the Windows Start menu, select Run.
- 从Windows开始菜单,选择Run。
- Type mmc in the Open: field. Click OK
- 在Open:字段中键入mmc。单击OK
- Select "Add/Remove Snap-in" from the File menu.
- 从文件菜单中选择“添加/删除管理单元”。
- Click the Add button.
- 单击Add按钮。
- Select "Certificates" from the list of Available Standalone Snap-ins. Click the Add button.
- 从可用的独立管理单元列表中选择“证书”。单击Add按钮。
- Select "Computer account." Click Next.
- 选择“计算机帐户”。单击Next。
- Select "Local Computer". Click Finish.
- 选择“本地计算机”。单击Finish。
- Click Close.
- 单击Close。
- Click OK.
- Expand the Certificates node under the Console Root and open the Personal store.
- 展开控制台根下的证书节点并打开Personal store。
- Double-click the Certificate you're using. If you have a private key, the dialog will display a message at the bottom that says "You have a private key that corresponds to this certificate".
- 双击您正在使用的证书。如果您有一个私钥,对话框将在底部显示一条消息,该消息说“您有一个与此证书对应的私钥”。
- 单击OK。展开控制台根下的证书节点并打开Personal store。双击您正在使用的证书。如果您有一个私钥,对话框将在底部显示一条消息,该消息说“您有一个与此证书对应的私钥”。
If you have a private key, then ensure that your application has permission to access the key:
如果您有一个私钥,则确保您的应用程序拥有访问密钥的权限:
- Open Windows Explorer.
- 打开Windows资源管理器。
- Navigate to the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.
- 用户导航到C:\Documents and Settings\All \微软应用程序数据\ \ RSA加密\ \ MachineKeys文件夹。
- Select the files containing the keys that the WSE will need to retrieve.
- 选择包含WSE需要检索的键的文件。
- From the File menu, select Properties.
- 从“文件”菜单中选择“属性”。
- On the Security tab, add the ASPNET account and select th e Full Control option.
- 在“安全”选项卡上,添加“ASPNET帐户”并选择“完全控制选项”。
- Notes: 1. Determining which key file in the MachineKeys folder is associated with a certificate can be difficult. One easy method is to note the creation date and time when creating a new certificate. When you view the files in the MachineKeys directory, check the Date Modified field for the corresponding date and time. 2. If you have configured your system to run under a different account than ASPNET, use that account when granting permissions to access the certificate.
- 注:1。确定在MachineKeys文件夹中的哪个密钥文件与证书相关联可能会很困难。一个简单的方法是在创建新证书时注意创建日期和时间。当您在MachineKeys目录中查看文件时,请查看相应日期和时间修改的日期字段。2。如果您已将系统配置为在不同的帐户下运行,则在授予权限访问证书时使用该帐户。
#2
0
After encountering the same exception: System.Security.Cryptography.CryptographicException, Object contains only the public half of a key pair, I proofed an alternative, but less optimal solution.
遇到相同的例外:System.Security.Cryptography。密码异常,对象只包含密钥对的公钥,我证明了另一种选择,但不是最优解。
Situation: Certificate / key look up worked great inside of Visual Studio IIS Express, but while the Web Application was running under the proper IIS service, I always received the 'Contains only public half of key pair' exception.
情况:证书/键查找在Visual Studio IIS Express内部工作得很好,但是当Web应用程序在适当的IIS服务下运行时,我总是收到“只包含密钥对的公开一半”的异常。
I used the WSE3 CertificateTool to locate the private key section on the filesystem and attempted at length to adjust the user permission settings to give the ASP user permissions as per the above answer.
我使用WSE3证书工具来定位文件系统上的私有密匙部分,并尝试根据上面的答案调整用户权限设置,以提供ASP用户权限。
My eventual fix, which was not pretty, was to create a new IIS Application Pool specific to my Web service code and set the user Identity the pool runs as the Local machine owner of the certificate + private key.
我的最终解决方案不是很漂亮,而是创建一个新的IIS应用程序池,具体到我的Web服务代码,并设置用户标识,该池作为证书+私钥的本地机器所有者运行。
The final location I installed the certificate in was "Local Computer / Trusted People".
我安装证书的最后一个位置是“本地计算机/可信任的人”。
Using WSE3 CustomPolicyAssertion, C# .NET:
使用WSE3 CustomPolicyAssertion, c#。net:
clientToken = X509TokenProvider.CreateToken(StoreLocation.LocalMachine,
StoreName.TrustedPeople, "soap.partnersite.com", X509FindType.FindBySubjectName);
After updating the App Pool Identity, no private key file overrides were necessary when changing the application pool owner.
在更新应用程序池标识之后,在更改应用程序池所有者时,没有必要的私有密钥文件覆盖。
#1
12
I was recently having the same problem. I found one explanation here that worked for me. Specifically, the permissions for the private key. The full info is copied below.
我最近遇到了同样的问题。我在这里找到了一个对我有用的解释。具体来说,私有密匙的权限。完整的信息如下所示。
There are a couple things that I would look at first:
我首先要讲几点:
- Do you have a private key for this certificate?
- 你有这个证书的私钥吗?
- Have you given permission for youf application to access the private key?
- 您是否已经为您的应用程序提供了访问私钥的权限?
You can establish whether you have a private key by viewing the certificate through the Windows Certificate Store. To get to this, follow these steps:
您可以通过Windows证书存储区查看证书来确定是否拥有私有密钥。为了达到这个目的,请遵循以下步骤:
- From the Windows Start menu, select Run.
- 从Windows开始菜单,选择Run。
- Type mmc in the Open: field. Click OK
- 在Open:字段中键入mmc。单击OK
- Select "Add/Remove Snap-in" from the File menu.
- 从文件菜单中选择“添加/删除管理单元”。
- Click the Add button.
- 单击Add按钮。
- Select "Certificates" from the list of Available Standalone Snap-ins. Click the Add button.
- 从可用的独立管理单元列表中选择“证书”。单击Add按钮。
- Select "Computer account." Click Next.
- 选择“计算机帐户”。单击Next。
- Select "Local Computer". Click Finish.
- 选择“本地计算机”。单击Finish。
- Click Close.
- 单击Close。
- Click OK.
- Expand the Certificates node under the Console Root and open the Personal store.
- 展开控制台根下的证书节点并打开Personal store。
- Double-click the Certificate you're using. If you have a private key, the dialog will display a message at the bottom that says "You have a private key that corresponds to this certificate".
- 双击您正在使用的证书。如果您有一个私钥,对话框将在底部显示一条消息,该消息说“您有一个与此证书对应的私钥”。
- 单击OK。展开控制台根下的证书节点并打开Personal store。双击您正在使用的证书。如果您有一个私钥,对话框将在底部显示一条消息,该消息说“您有一个与此证书对应的私钥”。
If you have a private key, then ensure that your application has permission to access the key:
如果您有一个私钥,则确保您的应用程序拥有访问密钥的权限:
- Open Windows Explorer.
- 打开Windows资源管理器。
- Navigate to the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.
- 用户导航到C:\Documents and Settings\All \微软应用程序数据\ \ RSA加密\ \ MachineKeys文件夹。
- Select the files containing the keys that the WSE will need to retrieve.
- 选择包含WSE需要检索的键的文件。
- From the File menu, select Properties.
- 从“文件”菜单中选择“属性”。
- On the Security tab, add the ASPNET account and select th e Full Control option.
- 在“安全”选项卡上,添加“ASPNET帐户”并选择“完全控制选项”。
- Notes: 1. Determining which key file in the MachineKeys folder is associated with a certificate can be difficult. One easy method is to note the creation date and time when creating a new certificate. When you view the files in the MachineKeys directory, check the Date Modified field for the corresponding date and time. 2. If you have configured your system to run under a different account than ASPNET, use that account when granting permissions to access the certificate.
- 注:1。确定在MachineKeys文件夹中的哪个密钥文件与证书相关联可能会很困难。一个简单的方法是在创建新证书时注意创建日期和时间。当您在MachineKeys目录中查看文件时,请查看相应日期和时间修改的日期字段。2。如果您已将系统配置为在不同的帐户下运行,则在授予权限访问证书时使用该帐户。
#2
0
After encountering the same exception: System.Security.Cryptography.CryptographicException, Object contains only the public half of a key pair, I proofed an alternative, but less optimal solution.
遇到相同的例外:System.Security.Cryptography。密码异常,对象只包含密钥对的公钥,我证明了另一种选择,但不是最优解。
Situation: Certificate / key look up worked great inside of Visual Studio IIS Express, but while the Web Application was running under the proper IIS service, I always received the 'Contains only public half of key pair' exception.
情况:证书/键查找在Visual Studio IIS Express内部工作得很好,但是当Web应用程序在适当的IIS服务下运行时,我总是收到“只包含密钥对的公开一半”的异常。
I used the WSE3 CertificateTool to locate the private key section on the filesystem and attempted at length to adjust the user permission settings to give the ASP user permissions as per the above answer.
我使用WSE3证书工具来定位文件系统上的私有密匙部分,并尝试根据上面的答案调整用户权限设置,以提供ASP用户权限。
My eventual fix, which was not pretty, was to create a new IIS Application Pool specific to my Web service code and set the user Identity the pool runs as the Local machine owner of the certificate + private key.
我的最终解决方案不是很漂亮,而是创建一个新的IIS应用程序池,具体到我的Web服务代码,并设置用户标识,该池作为证书+私钥的本地机器所有者运行。
The final location I installed the certificate in was "Local Computer / Trusted People".
我安装证书的最后一个位置是“本地计算机/可信任的人”。
Using WSE3 CustomPolicyAssertion, C# .NET:
使用WSE3 CustomPolicyAssertion, c#。net:
clientToken = X509TokenProvider.CreateToken(StoreLocation.LocalMachine,
StoreName.TrustedPeople, "soap.partnersite.com", X509FindType.FindBySubjectName);
After updating the App Pool Identity, no private key file overrides were necessary when changing the application pool owner.
在更新应用程序池标识之后,在更改应用程序池所有者时,没有必要的私有密钥文件覆盖。