C#:从 Azure KeyVault 检索具有完整链的证书

问题描述 投票:0回答:3

从 Azure Keyvault 下载证书版本时,我无法获取完整的证书链。附注我使用的是 .Net Framework 4.7.2。

当我将下载的证书手动导入到本地存储,然后将其导出到带有密码的文件时。稍后访问证书,如果我在 C# 中加载该证书,我可以获得完整的链。

有没有办法直接从Keyvault获取完整的链?

这是代码片段。

DownloadCertificateOptions downloadCertOptions = new DownloadCertificateOptions(certificateProperties.Name);
downloadCertOptions.Version = certificateProperties.Version;
downloadCertOptions.KeyStorageFlags = X509KeyStorageFlags.Exportable | X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet;
cert = CertificateClient.DownloadCertificate(downloadCertOptions);

byte[] exportedCert = cert.Export(X509ContentType.Pfx);
//byte[] exportedCert = cert.Export(X509ContentType.Pkcs12);

X509Certificate2Collection certificates = new X509Certificate2Collection();
string password = "";
X509Certificate2Collection collection - certificates.Import(rawData, password, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);

Console.WriteLine($"Collection has {collection.Count} certs");

**期望 3 个证书(子证书、中级证书和根证书)**,但只获得一个(子证书)。

c# azure-keyvault x509certificate2
3个回答
0
投票

要获取包含私钥的完整证书,则需要从 Azure Key Vault 将其作为机密下载,将其作为证书获取将仅包含其公钥。

0
投票

刚刚遇到同样的问题: 基本上,您想要下载完整的秘密,然后从原始字节初始化一个集合。这将包含完整的链。

using System;
using System.Security.Cryptography.X509Certificates;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

            var secretClient = new SecretClient(new Uri("https://somekb.vault.azure.net/"), credential);

            KeyVaultSecret secret = secretClient.GetSecret("mycertname");

            var privateKeyBytes = Convert.FromBase64String(secret.Value);
            X509Certificate2Collection x509Certificate2Collection = new X509Certificate2Collection();
            x509Certificate2Collection.Import(privateKeyBytes, (string)null, X509KeyStorageFlags.PersistKeySet);

            foreach (X509Certificate2 certificate in x509Certificate2Collection)
            {
                X509Store x509Store2 = new X509Store(StoreLocation.LocalMachine);
                x509Store2.Open(OpenFlags.ReadWrite);
                x509Store2.Add(certificate);
                x509Store2.Close();
            }
-1
投票

我还收到了 Azure 团队关于另一个问题的以下回复。但可能与您相关 https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/keyvault/samples/getcert/Program.cs#L100

这是 azure sdk 的示例,介绍如何从 Az Key Vault 获取证书链和私钥。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.