Private keys are deleted unexpectedly in Windows Server 2008 R2

Question

Private keys are deleted unexpectedly in Windows Server 2008 R2

I had a strange problem while developing the installation, which should be at one of the stages of installing the certificate.

The problem is with providing access to the private key of certificates for the account (for example, IIS_IUSRS) in Windows Server 2008 R2. Private keys are stored in the folder C: \ Users \ All Users \ Microsoft \ Crypto \ RSA \ MachineKeys.

The C # custom installation project imports the certificate and provides access to the account in the private key of the certificates during the installation process. After some time (2-3 seconds), the private key file is automatically deleted from the MachineKeys folder. Therefore, the installed web application cannot access a specific certificate and displays the following error message:

"System.Security.Cryptography.CryptographicException: Keyset does not exist." This error only occurs in Windows Server 2008 R2, whereas for Windows Server 2003 everything works correctly.

My question is: why is the private key deleted and what process does it?

thank

UPDATE 05/17/2012

I have not yet found a solution to the described problem, and in the other forums on which I requested (forums.asp.net, social.msdn.microsoft.com), there was no answer. So, can anyone suggest any other resources or recommendations for further fixing this issue?

Thanks again

+3

certificate powershell windows-server-2008-r2 private key

dimdamop May 08 '12 at 12:25

source share

3 answers

, System.Security. ". . , .

. - > - > cmd- > mmc- > - > /- > - > - > - > ., , :

Open- > Certificates- > Personal- > Certificates- > Certificate- > All Tasks- > Manage Private Keys- > Add Network Service.

, , Windows Server 2008., , , .

+1

Voislav Sauca 08 '12 12:38

http://referencesource.microsoft.com/#System/security/system/security/cryptography/x509/x509certificate2collection.cs,256 , PersistKeySet. PersistKeySet https://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509keystorageflags%28v=vs.110%29.aspx ", PFX, ". , : " PersistKeySet, X509Certificate2, ". , .Import. , Import-PfxCertificate powershell . , OP, . ejegg script . , 3 , , , .

The symptom we saw in powershell is the HasPrivateKey property, but the PrivateKey value is null. And the key file for the certificate in C: \ ProgramData \ Microsoft \ Crypto \ RSA \ MachineKeys has been deleted. The FindPrivateKey utility at https://msdn.microsoft.com/en-us/library/aa717039(v=vs.110).aspx helped us see how the file is deleted.

So happy 4th birthday question with this very late answer.

+1

No Refunds No Returns Jun 2 '16 at 2:49 p.m.

source share

ejegg · Accepted Answer · 2013-05-10T20:51:05+0000

- script PK, . , , PowerShell, , , .

PersistKeySet . PowerShell :

param(
    [string]$certStore = "LocalMachine\TrustedPeople",
    [string]$filename = "sp.pfx",
    [string]$password = "password",
    [string]$username = "$Env:COMPUTERNAME\WebSiteUser"
)

function getKeyFilePath($cert) {
    return "$ENV:ProgramData\Microsoft\Crypto\RSA\MachineKeys\" + $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
}

$certFromFile = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($filename, $password)
$certFromStore = Get-ChildItem "Cert:\$certStore" | Where-Object {$_.Thumbprint -eq $certFromFile.Thumbprint}
$certExistsInStore = $certFromStore.Count -gt 0
$keyExists = $certExistsInStore -and ($certFromStore.PrivateKey -ne $null) -and (Test-Path(getKeyFilePath($certFromStore)))

if ((!$certExistsInStore) -or (!$keyExists)) {

    $keyFlags = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::MachineKeySet 
    $keyFlags = $keyFlags -bor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet
    $certFromFile.Import($filename, $password, $keyFlags)

    $store = Get-Item "Cert:\$certStore"
    $store.Open("ReadWrite")

    if ($certExistsInStore) {
        #Cert is in the store, but we have no persisted private key
        #Remove it so we can add the one we just imported with the key file
        $store.Remove($certFromStore)
    }

    $store.Add($certFromFile)
    $store.Close()

    $certFromStore = $certFromFile
    "Installed x509 certificate"
}

$pkFile = Get-Item(getKeyFilePath($certFromStore))
$pkAcl = $pkFile.GetAccessControl("Access")
$readPermission = $username,"Read","Allow"
$readAccessRule = new-object System.Security.AccessControl.FileSystemAccessRule $readPermission
$pkAcl.AddAccessRule($readAccessRule)
Set-Acl $pkFile.FullName $pkAcl
"Granted read permission on private key to web user"

Private keys are deleted unexpectedly in Windows Server 2008 R2

More articles: