blocks|key|1614460|text|我昨晚也有同样的问题。私钥上的权限设置正确，除了密钥集不存在错误外，一切都很正常。最后，证书首先导入到当前用户存储区，然后移动到本地机器存储区。但是-这并没有移动私钥，它仍然在|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1614461|C:\Documents+and+settngs\Administrator...|1614462|而不是|1614463|C:\Documents+and+settngs\所有用户...|1614464|尽管正确设置了密钥的权限，但ASPNET无法访问它。当我们重新导入证书以便将私钥放在All+users分支中时，问题就消失了。|1614465|entityMap^0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|M|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|N|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|O|8|@]|9|@]|A|$]]|$1|H|3|I|5|6|7|P|8|@]|9|@]|A|$]]|$1|J|3|-4|5|6|7|Q|8|@]|9|@]|A|$]]]|K|$]]

I've had identical issue last night. Permissions on private key were set correctly, everything was apparently fine except the Keyset doesn't exist error. In the end it turned out that certificate was imported to the current user store first and then moved to local machine store. However - that didn't move the private key, which was still in the 

C:\Documents and settngs\Administrator...

instead of 

C:\Documents and settngs\All users...

Altough permissions on the key were set correctly, ASPNET couldn't access it. When we re-imported certificate so that private key is placed in the All users branch, the problem disappeared.

blocks|key|1615012|text|在尝试从Visual+Studio运行WCF应用程序时也遇到了同样的问题。通过以管理员身份运行Visual+Studio解决了此问题。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1615013|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

Had the same problem while trying to run WCF app from Visual Studio. Solved it by running Visual Studio as administrator.

blocks|key|1400186|text|完全令人沮丧的是，我遇到了同样的问题，并尝试了上面的大部分方法。导出的证书正确地具有读取C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys中的文件的权限，但事实证明它没有文件夹的权限。添加了它，并且它起作用了|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|1400187|entityMap^0|18|1B|0^^$0|@$1|2|3|4|5|6|7|H|8|@$9|I|A|J|B|C]]|D|@]|E|$]]|$1|F|3|-4|5|6|7|K|8|@]|D|@]|E|$]]]|G|$]]

Totally frustrating, I had the same issue and tried most of the above. The exported certificate correctly had permissions to read the file in <code>C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys</code>, however as it turns out it didn't have permission on the folder. Added it and it worked

blocks|key|1400338|text|当我运行MVC应用程序时，我得到了这样的错误:+CryptographicException+'Keyset+not+exist‘。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1400339|解决方案是:将访问个人证书的权限授予正在运行应用程序池的帐户。在我的例子中，它是添加IIS_IUSRS，选择正确的位置解决了这个问题。|1400340|RC+on+the+Certificate+-+>+All+tasks+->+Manage+Private+Keys+->+Add->++
For+the+From+this+location+:+Click+on+Locations+and+make+sure+to+select+the+Server+name.+
In+the+Enter+the+object+names+to+select+:+IIS_IUSRS+and+click+ok.+|code-block|syntax|javascript|1400341|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|L|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|M|8|@]|9|@]|A|$G|H]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

I was getting the error : CryptographicException 'Keyset does not exist' when i run the MVC application. 

Solution was : to give access to the personal certificates to the account that application pool is running under. In my case it was to add IIS_IUSRS and choosing the right location resolved this issue.

<pre><code>RC on the Certificate - &gt; All tasks -&gt; Manage Private Keys -&gt; Add-&gt; 
For the From this location : Click on Locations and make sure to select the Server name. 
In the Enter the object names to select : IIS_IUSRS and click ok. 
</code></pre>

blocks|key|1614805|text|我也有类似的问题。我已经使用了命令|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1614806|findprivatekey+root+localmachine+-n+"CN="CertName"+|code-block|syntax|javascript|1614807|结果显示，私钥位于c:\ProgramData文件夹中，而不是C:\Documents和settngs\All+users中。|1614808|当我从c:\ProgramData文件夹中删除密钥时，再次运行findPrivatekey命令不成功。即。它找不到钥匙。|1614809|但是，如果我搜索前面命令返回的相同键，我仍然可以在|1614810|C:\Documents和settngs\所有用户..|1614811|因此，据我所知，IIS或托管的WCF没有从C:\Documents和settngs\All+users中找到私钥。|1614812|entityMap^0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|S|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|T|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|U|8|@]|9|@]|A|$]]|$1|I|3|J|5|6|7|V|8|@]|9|@]|A|$]]|$1|K|3|L|5|6|7|W|8|@]|9|@]|A|$]]|$1|M|3|N|5|6|7|X|8|@]|9|@]|A|$]]|$1|O|3|P|5|6|7|Y|8|@]|9|@]|A|$]]|$1|Q|3|-4|5|6|7|Z|8|@]|9|@]|A|$]]]|R|$]]

I have exactly similar problem too.
I have used the command 

<pre><code>findprivatekey root localmachine -n "CN="CertName" 
</code></pre>

the result shows that the private key is in c:\ProgramData folder instead of C:\Documents and settngs\All users..

When I delete the key from c:\ProgramData folder, again run the findPrivatekey command does not succeed. ie. it does not find the key.

But if i search the same key returned by earlier command, i can still find the key in 

C:\Documents and settngs\All users..

So to my understanding, IIS or the hosted WCF is not finding the private key from C:\Documents and settngs\All users..

blocks|key|1400009|text|我发现了一些缺失的信息，这些信息帮助我获得了具有消息级安全性的WCF服务，尽管授予了对互联网上示例生成的所有密钥的权限，但我仍然遇到了“密钥集不存在”这个问题。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1400010|最后，我将私钥导入到本地计算机上的trusted+people存储中，然后授予私钥正确的权限。|1400011|这为我填补了空白，最终允许我实现具有消息级安全性的WCF服务。我正在建立一个WCF，必须是HIPPA兼容。|1400012|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|H|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|I|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|J|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|G|$]]

I found some missing information that helped me get my WCF service with Message level security past the "Keyset does not exist" that I kept running into despite granting permissions to all the keys generated from the examples on the internet.

I finally imported the private key into the trusted people store on local machine and then granted the private key the correct permissions.

This filled in the blanks for me and finally allowed me to implement the WCF service with Message level security. I am building a WCF that must be HIPPA compliant.

blocks|key|1400439|text|我刚刚在本地机器上重新安装了我的证书，然后它就可以正常工作了|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1400440|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

I just reinstalled my certificate in local machine and then it is working fine

blocks|key|1615220|text|我在我的PowerShell脚本中也得到了同样的错误。我的修复方法很简单，就是以管理员身份运行脚本。因此，请确保您正在运行的尝试检索证书的应用程序是以管理员身份运行的。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1615221|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

I was getting this same error in my PowerShell scripts. The fix for me was simply to run the script as administrator. So make sure whatever app you're running that attempts to retrieve the certificate is running as admin.

blocks|key|1399845|text|如果将ApplicationPoolIdentity用于应用程序池，则在注册表编辑器中为“虚拟”用户指定权限时可能会出现问题(系统中没有这样用户)。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1399846|因此，请使用subinacl命令行工具来启用设置注册表ACL，或类似以下内容。|offset|length|1399847|entityMap|0|LINK|mutability|MUTABLE|url|http://www.microsoft.com/download/en/details.aspx?id=23510^0|0|6|8|0|0^^$0|@$1|2|3|4|5|6|7|N|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|O|8|@]|9|@$D|P|E|Q|1|R]]|A|$]]|$1|F|3|-4|5|6|7|S|8|@]|9|@]|A|$]]]|G|$H|$5|I|J|K|A|$L|M]]]]

If you use ApplicationPoolIdentity for your application pool, you may have problem with specifying permission for that "virtual" user in registry editor (there is not such user in system).

So, use <a href="http://www.microsoft.com/download/en/details.aspx?id=23510" rel="nofollow">subinacl</a> - command-line tool that enables set registry ACL's, or something like this.

blocks|key|1614861|text|我只是想添加一个健全的检查答案。即使在我的机器上将证书安装到正确的存储区并对客户端拥有所有正确的安全特权后，我也得到了完全相同的错误。原来我把我的clientCertificate和服务证书弄混了。如果你已经尝试了上面的所有方法，我会再次检查你是否正确地使用了这两个方法。一旦我这样做了，我的应用程序就成功地调用了web服务。再说一次，这只是一个健全的检查器。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1614862|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

I just wanted to add a sanity check answer. I was getting the exact same error even after installing the certificates to the right stores on my machines and having all the right security privileges for the client. Turns out I mixed up my clientCertificate and my Service Certificate. If you have tried all of the above, I would double check that you have those two straight.
Once I did that, my application successfully called the web service.
Again, just a sanity checker.

blocks|key|1614964|text|在IIS7上使用openAM+Fedlet时收到此错误|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1614965|更改默认网站的用户帐户解决了此问题。理想情况下，您会希望这是一个服务帐户。也许甚至是IUSR帐户。建议查找IIS加固的方法，以完全确定它。|1614966|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

Received this error while using the openAM Fedlet on IIS7

Changing the user account for the default website resolved the issue. Ideally, you would want this to be a service account. Perhaps even the IUSR account. Suggest looking up methods for IIS hardening to nail it down completely.

blocks|key|1615105|text|在用于对密钥库进行身份验证的证书过期并被轮换后，我在我的服务fabric项目中遇到了这个问题，这更改了指纹。我得到这个错误是因为我错过了在这个块的applicationManifest.xml文件中更新指纹，这正是其他答案所建议的-给出了网络服务(我所有的exe都是以这种方式运行的，azure服务的标准配置为error集群)访问LOCALMACHINE\MY+cert存储位置的权限。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1615106|注意"X509FindValue“属性值。|1615107|​|1615108|
++<Principals>
++++<Users>
++++++<User+Name="NetworkService"+AccountType="NetworkService"+/>
++++</Users>
++</Principals>
++<Policies>
++++<SecurityAccessPolicies>
++++++<SecurityAccessPolicy+ResourceRef="AzureKeyvaultClientCertificate"+PrincipalRef="NetworkService"+GrantRights="Full"+ResourceType="Certificate"+/>
++++</SecurityAccessPolicies>
++</Policies>
++<Certificates>
++++<SecretsCertificate+X509FindValue="[[THIS+KEY+ALSO+NEEDS+TO+BE+UPDATED]]"+Name="AzureKeyvaultClientCertificate"+/>
++</Certificates>
++|code-block|syntax|javascript|1615109|1615110|entityMap^0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|N|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|O|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|P|8|@]|9|@]|A|$]]|$1|F|3|G|5|H|7|Q|8|@]|9|@]|A|$I|J]]|$1|K|3|E|5|6|7|R|8|@]|9|@]|A|$]]|$1|L|3|-4|5|6|7|S|8|@]|9|@]|A|$]]]|M|$]]

I hit this in my service fabric project after the cert used to authenticate against our key vault expired and was rotated, which changed the thumbprint. I got this error because I had missed updating the thumbprint in the applicationManifest.xml file in this block which precisely does what other answers have suggested - to given NETWORK SERVICE (which all my exes run as, standard config for azure servicefabric cluster) permissions to access the LOCALMACHINE\MY cert store location.

Note the "X509FindValue" attribute value.

<div class="snippet" data-lang="js" data-hide="false" data-console="true" data-babel="false">
<div class="snippet-code">
<pre class="snippet-code-html lang-html prettyprint-override"><code>&lt;!-- this block added to allow low priv processes (such as service fabric processes) that run as NETWORK SERVICE to read certificates from the store --&gt;
 &lt;Principals&gt;
 &lt;Users&gt;
 &lt;User Name="NetworkService" AccountType="NetworkService" /&gt;
 &lt;/Users&gt;
 &lt;/Principals&gt;
 &lt;Policies&gt;
 &lt;SecurityAccessPolicies&gt;
 &lt;SecurityAccessPolicy ResourceRef="AzureKeyvaultClientCertificate" PrincipalRef="NetworkService" GrantRights="Full" ResourceType="Certificate" /&gt;
 &lt;/SecurityAccessPolicies&gt;
 &lt;/Policies&gt;
 &lt;Certificates&gt;
 &lt;SecretsCertificate X509FindValue="[[THIS KEY ALSO NEEDS TO BE UPDATED]]" Name="AzureKeyvaultClientCertificate" /&gt;
 &lt;/Certificates&gt;
 &lt;!-- end block --&gt;</code></pre>
</div>
</div>

blocks|key|1400453|text|这是唯一对我有效的解决方案。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1400454|++++//+creates+the+CspParameters+object+and+sets+the+key+container+name+used+to+store+the+RSA+key+pair
++++CspParameters+cp+=+new+CspParameters();
++++cp.KeyContainerName+=+"MyKeyContainerName";+//Eg:+Friendly+name

++++//+instantiates+the+rsa+instance+accessing+the+key+container+MyKeyContainerName
++++RSACryptoServiceProvider+rsa+=+new+RSACryptoServiceProvider(cp);
++++//+add+the+below+line+to+delete+the+key+entry+in+MyKeyContainerName
++++//+rsa.PersistKeyInCsp+=+false;

++++//writes+out+the+current+key+pair+used+in+the+rsa+instance
++++Console.WriteLine("Key+is+:+\n"+%2B+rsa.ToXmlString(true));|code-block|syntax|javascript|1400455|Reference+1|offset|length|1400456|Reference+2|1400457|entityMap|0|LINK|mutability|MUTABLE|url|https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.cspparameters.keycontainername?view=netframework-4.8|1|https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-store-asymmetric-keys-in-a-key-container?view=netframework-4.8^0|0|0|0|B|0|0|0|B|1|0^^$0|@$1|2|3|4|5|6|7|W|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|X|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|Y|8|@]|9|@$I|Z|J|10|1|11]]|A|$]]|$1|K|3|L|5|6|7|12|8|@]|9|@$I|13|J|14|1|15]]|A|$]]|$1|M|3|-4|5|6|7|16|8|@]|9|@]|A|$]]]|N|$O|$5|P|Q|R|A|$S|T]]|U|$5|P|Q|R|A|$S|V]]]]

This is the only solution worked for me.

<pre><code> // creates the CspParameters object and sets the key container name used to store the RSA key pair
 CspParameters cp = new CspParameters();
 cp.KeyContainerName = "MyKeyContainerName"; //Eg: Friendly name

 // instantiates the rsa instance accessing the key container MyKeyContainerName
 RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cp);
 // add the below line to delete the key entry in MyKeyContainerName
 // rsa.PersistKeyInCsp = false;

 //writes out the current key pair used in the rsa instance
 Console.WriteLine("Key is : \n" + rsa.ToXmlString(true));
</code></pre>

<a href="https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.cspparameters.keycontainername?view=netframework-4.8" rel="nofollow noreferrer">Reference 1</a>

<a href="https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-store-asymmetric-keys-in-a-key-container?view=netframework-4.8" rel="nofollow noreferrer">Reference 2</a>

blocks|key|1615173|text|This+issue+is+got+resolved+after+adding+network+service+role.

CERTIFICATE+ISSUES+
Error+:Keyset+does+not+exist+means+System+might+not+have+access+to+private+key
Error+:Enveloped+data+…+
Step+1:Install+certificate+in+local+machine+not+in+current+user+store
Step+2:Run+certificate+manager
Step+3:Find+your+certificate+in+the+local+machine+tab+and+right+click+manage+privatekey+and+check+in+allowed+personnel+following+have+been+added:
a>Administrators
b>yourself
c>'Network+service'
And+then+provide+respective+permissions.

##+You+need+to+add+'Network+Service'+and+then+it+will+start+working.|type|code-block|depth|inlineStyleRanges|entityRanges|data|syntax|javascript|1615174|unstyled|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|G|8|@]|9|@]|A|$B|C]]|$1|D|3|-4|5|E|7|H|8|@]|9|@]|A|$]]]|F|$]]

<pre><code>This issue is got resolved after adding network service role.

CERTIFICATE ISSUES 
Error :Keyset does not exist means System might not have access to private key
Error :Enveloped data … 
Step 1:Install certificate in local machine not in current user store
Step 2:Run certificate manager
Step 3:Find your certificate in the local machine tab and right click manage privatekey and check in allowed personnel following have been added:
a&gt;Administrators
b&gt;yourself
c&gt;'Network service'
And then provide respective permissions.

## You need to add 'Network Service' and then it will start working.
</code></pre>

blocks|key|1615254|text|这个问题很老了，但今天它浮出水面，我所有的阅读都提到了许可，但我的情况并非如此。事实证明，我创建的新(Windows服务)项目默认情况下启用了此选项。属性-->构建-->首选32位。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1615255|通过取消选中此选项并重新部署，此错误将消失，并且一切工作正常。|1615256|希望这对那些与权限无关的人有所帮助。|1615257|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|H|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|I|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|J|8|@]|9|@]|A|$]]|$1|F|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|G|$]]

This issue is old but it surfaced to me today and all the readings I did refer to permission, but that wasn't the case with me. It turned out that the new (Windows Service) project I created had this option enabled by default.
Properties--&gt;Build--&gt;Prefer 32-bit.
By unchecking this option and re-deploying this error went away and everything worked fine.
Hope this helps someone whose issue isn't permission-related.

blocks|key|1615291|text|在使用SNK数据对文件进行签名时，我遇到了此异常。诀窍是在CspParameters中将KeyNumber设置为2(签名)，例如：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1615292|$params+=+New-Object+System.Security.Cryptography.CspParameters
$params.KeyNumber+=+2

$rsa+=+New-Object+System.Security.Cryptography.RSACryptoServiceProvider($params)
$rsa.ImportCspBlob($snk)
$signature+=+$rsa.SignData($inputBytes,+[Security.Cryptography.HashAlgorithmName]::SHA256,+[Security.Cryptography.RSASignaturePadding]::Pkcs1)|code-block|syntax|javascript|1615293|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

I was having this exception when signing a file using SNK data.
The trick is to set the KeyNumber to 2 (Signature) in the CspParameters, e.g.:
<pre><code>$params = New-Object System.Security.Cryptography.CspParameters
$params.KeyNumber = 2

$rsa = New-Object System.Security.Cryptography.RSACryptoServiceProvider($params)
$rsa.ImportCspBlob($snk)
$signature = $rsa.SignData($inputBytes, [Security.Cryptography.HashAlgorithmName]::SHA256, [Security.Cryptography.RSASignaturePadding]::Pkcs1)

</code></pre>

I have some code that makes a call to a third party web service that is secured using X.509 certification.

If I call the code directly (using a unit test) it works without any problems.

When deployed, this code will be called via a WCF Service. I have added a second unit test that calls the WCF Service, however this fails with a <code>CryptographicException</code>, message <code>"Keyset does not exist"</code> when I call a method on the third party web service.

I presume that this is because my WCF Service will be attempting to call the third party web service using a different user to myself.

Can anyone shed any additional light on this issue?

CryptographicException 'Keyset does not exist', but only through WCF

我有一些代码可以调用使用X.509证书保护的第三方web服务。如果我直接调用代码(使用单元测试)，它可以正常工作。部署后，将通过WCF服务调用此代码。我已经添加了第二个调用WCF服务的单元测试，但是当我调用第三方web服务上的方法时，它会失败并显示CryptographicException，消息"Keyset does not exist"。我假设这是因为我的WCF服务将尝试使用与我不同的用户调

问CryptographicException‘密钥集不存在’，但仅通过WCF
EN

回答 16

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问CryptographicException‘密钥集不存在’，但仅通过WCFEN

回答 16

Stack Overflow用户

Stack Overflow用户

Stack Overflow用户

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问CryptographicException‘密钥集不存在’，但仅通过WCF
EN