CngKey.Create 不支持请求的操作
The requested operation is not supported in CngKey.Create
我正在尝试在 C# 程序集(目标 .NET 4.0)中(以编程方式)动态生成自签名证书,以用作生成其他证书的根 CA。证书不需要保存在 Windows 证书存储中,我会将其导出为文件。
通读this question (and in particular, @dthorpe's answer), I decided to give a try to CLR Security。
CLR Security 库在 CngKey class 上放置了一个扩展方法来生成自签名证书,但我无法成功创建 CngKey 的实例:
var key = CngKey.Create(CngAlgorithm.Sha1); //same with Sha256, Sha512 and MD5
//or
var key = CngKey.Create(CngAlgorithm.Sha1, null, new CngKeyCreationParameters()
{
ExportPolicy = CngExportPolicies.AllowExport,
KeyUsage = CngKeyUsages.AllUsages,
KeyCreationOptions = CngKeyCreationOptions.MachineKey,
});
这些行中的任何一行都会引发异常:
System.Security.Cryptography.CryptographicException was unhandled
HResult=-2146893783
Message=The requested operation is not supported.
Source=System.Core
StackTrace:
at System.Security.Cryptography.NCryptNative.CreatePersistedKey(SafeNCryptProviderHandle provider, String algorithm, String name, CngKeyCreationOptions options)
at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm, String keyName, CngKeyCreationParameters creationParameters)
at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm)
at Tests.Program.Main(String[] args) at Program.cs:line 51
通过 SO 和互联网搜索,我检查了以下内容:
- 我是 运行 一个 Windows 7 盒子(因此它支持 MSDN 的 RPC)
- 在 Windows Server 2012 盒子上试过,同样的错误
- 该进程是 运行 管理员(因此无论如何它都可以访问所有证书存储)
- 服务
CNG Key Isolation 和 Remote Procedure Call (RPC) 是 运行
如有任何帮助,我们将不胜感激。
小题外话:在 google 搜索这个问题时发现 a site with HRESULT descriptions 和 SO 和 MSDN 上的便捷搜索工具(我只是 googled 为您 HRESULT代码 -2146893783)
我找到了 topic on MSDN which contains code failing with similar HRESULT, and the author provides a link to MSDN article about CNG:
NCRYPT_ALGORITHM_GROUP_PROPERTY
L"Algorithm Group"
A null-terminated Unicode string that contains the name of the object's algorithm group. This property only applies to keys. The following identifiers are returned by the Microsoft key storage provider:
- NCRYPT_RSA_ALGORITHM_GROUP
"RSA", The RSA algorithm group.
- NCRYPT_DH_ALGORITHM_GROUP
"DH", The Diffie-Hellman algorithm group.
- NCRYPT_DSA_ALGORITHM_GROUP
"DSA", The DSA algorithm group.
- NCRYPT_ECDSA_ALGORITHM_GROUP
"ECDSA", The elliptic curve DSA algorithm group.
- NCRYPT_ECDH_ALGORITHM_GROUP
"ECDH", The elliptic curve Diffie-Hellman algorithm group.
我还在 MSDN 上找到了一篇关于 CNG Key Storage Providers 的文章,其中包含类似的算法列表:
- Diffie-Hellman (DH)
Secret agreement and key exchange, 512 to 4096 in 64-bit increments
- Digital Signature Algorithm (DSA)
Signatures,
512 to 1024 in 64-bit increments
- Elliptic Curve Diffie-Hellman (ECDH)
Secret agreement and key exchange,
P256, P384, P521
- Elliptic Curve Digital Signature Algorithm (ECDSA)
Signatures,
P256, P384, P521
- RSA
Asymmetric encryption and signing,
512 to 16384 in 64-bit increments
因此,正如您所说,您只尝试了 Sha1、Sha256、Sha512 和 MD5,也许您只需使用另一个 algorithm from list available?你可以找到上面提到的那些:
Here other developers successfully created 其中之一并且能够导出它:
var cngKey = CngKey.Create(CngAlgorithm.ECDiffieHellmanP256, null,
new CngKeyCreationParameters { ExportPolicy = CngExportPolicies.AllowPlaintextExport });
我正在尝试在 C# 程序集(目标 .NET 4.0)中(以编程方式)动态生成自签名证书,以用作生成其他证书的根 CA。证书不需要保存在 Windows 证书存储中,我会将其导出为文件。
通读this question (and in particular, @dthorpe's answer), I decided to give a try to CLR Security。
CLR Security 库在 CngKey class 上放置了一个扩展方法来生成自签名证书,但我无法成功创建 CngKey 的实例:
var key = CngKey.Create(CngAlgorithm.Sha1); //same with Sha256, Sha512 and MD5
//or
var key = CngKey.Create(CngAlgorithm.Sha1, null, new CngKeyCreationParameters()
{
ExportPolicy = CngExportPolicies.AllowExport,
KeyUsage = CngKeyUsages.AllUsages,
KeyCreationOptions = CngKeyCreationOptions.MachineKey,
});
这些行中的任何一行都会引发异常:
System.Security.Cryptography.CryptographicException was unhandled
HResult=-2146893783
Message=The requested operation is not supported.
Source=System.Core
StackTrace:
at System.Security.Cryptography.NCryptNative.CreatePersistedKey(SafeNCryptProviderHandle provider, String algorithm, String name, CngKeyCreationOptions options)
at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm, String keyName, CngKeyCreationParameters creationParameters)
at System.Security.Cryptography.CngKey.Create(CngAlgorithm algorithm)
at Tests.Program.Main(String[] args) at Program.cs:line 51
通过 SO 和互联网搜索,我检查了以下内容:
- 我是 运行 一个 Windows 7 盒子(因此它支持 MSDN 的 RPC)
- 在 Windows Server 2012 盒子上试过,同样的错误
- 该进程是 运行 管理员(因此无论如何它都可以访问所有证书存储)
- 服务
CNG Key Isolation和Remote Procedure Call (RPC)是 运行
如有任何帮助,我们将不胜感激。
小题外话:在 google 搜索这个问题时发现 a site with HRESULT descriptions 和 SO 和 MSDN 上的便捷搜索工具(我只是 googled 为您 HRESULT代码 -2146893783)
我找到了 topic on MSDN which contains code failing with similar HRESULT, and the author provides a link to MSDN article about CNG:
NCRYPT_ALGORITHM_GROUP_PROPERTYL"Algorithm Group"
A null-terminated Unicode string that contains the name of the object's algorithm group. This property only applies to keys. The following identifiers are returned by the Microsoft key storage provider:
- NCRYPT_RSA_ALGORITHM_GROUP
"RSA", TheRSAalgorithm group.- NCRYPT_DH_ALGORITHM_GROUP
"DH", TheDiffie-Hellmanalgorithm group.- NCRYPT_DSA_ALGORITHM_GROUP
"DSA", TheDSAalgorithm group.- NCRYPT_ECDSA_ALGORITHM_GROUP
"ECDSA", Theelliptic curve DSAalgorithm group.- NCRYPT_ECDH_ALGORITHM_GROUP
"ECDH", Theelliptic curve Diffie-Hellmanalgorithm group.
我还在 MSDN 上找到了一篇关于 CNG Key Storage Providers 的文章,其中包含类似的算法列表:
- Diffie-Hellman (DH)
Secret agreement and key exchange,512 to 4096 in 64-bit increments- Digital Signature Algorithm (DSA) Signatures,
512 to 1024 in 64-bit increments- Elliptic Curve Diffie-Hellman (ECDH) Secret agreement and key exchange,
P256, P384, P521- Elliptic Curve Digital Signature Algorithm (ECDSA) Signatures,
P256, P384, P521- RSA Asymmetric encryption and signing,
512 to 16384 in 64-bit increments
因此,正如您所说,您只尝试了 Sha1、Sha256、Sha512 和 MD5,也许您只需使用另一个 algorithm from list available?你可以找到上面提到的那些:
Here other developers successfully created 其中之一并且能够导出它:
var cngKey = CngKey.Create(CngAlgorithm.ECDiffieHellmanP256, null,
new CngKeyCreationParameters { ExportPolicy = CngExportPolicies.AllowPlaintextExport });