我希望在运行在IIS服务器下的.NET应用程序中添加相互身份验证的功能(它是调用另一个web服务的Web服务)。客户端应用程序从文件加载客户端证书,在我的开发机上使用以下代码可以正常工作(我尝试了Windows 7和Windows 10,使用.NET 4.6.2):
var handler = new WebRequestHandler();
var certificate = new X509Certificate2(clientCertPath); -- PFX file with client cert and private key
handler.ClientCertificates.Add(certificate);
handler.AuthenticationLevel = AuthenticationLevel.MutualAuthRequired;
client = new HttpClient(handler);
但是,当这段代码部署到生产的 Windows 2016 服务器上时,应用程序会抛出 The request was aborted: Could not create SSL/TLS secure channel.
的错误。
我启用了 System.Net
的跟踪功能,以下是日志记录的内容:
SecureChannel#66407304 - Certificate is of type X509Certificate2 and contains the private key.
AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
AcquireCredentialsHandle() failed with error 0X8009030D.
AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
AcquireCredentialsHandle() failed with error 0X8009030D.
Exception in HttpWebRequest#60537518:: - The request was aborted: Could not create SSL/TLS secure channel..
事实证明,这个错误是由于IIS用户没有权限读取PFX文件中的私钥引起的。因此,当我将其导入到机器证书存储并通过在客户端证书上右键单击“所有任务->管理私钥...”添加时,一切都正常工作,但我想避免这种情况。
有没有一种方法可以在Windows Server上使用从文件加载的客户端证书,而不必将客户端证书PFX文件导入到证书存储中?
IIS_IUSRS
添加到所有任务->管理私钥...
时,它可以工作。我会编辑问题... - klappvisor