• You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed.


    You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed.

    https://github.com/jexuswebserver/JexusManager/blob/0d4a33d5247557f103887a7ef3e4403cf48627be/JexusManager/Features/Main/SslDiagDialog.cs#L207

    https://github.com/microsoft/service-fabric/issues/773

    It appears there may be 2 issues here:

    • the certificate's private key is not ACL'd to NetworkService; to fix this, please open the Management Console (start -> run -> mmc), navigate to 'Local Computer Certificates' (file -> add snap-in -> certificates, local computer) and examine the private key access list (right click on the certificate, 'All tasks' -> Manage private key..). If NetworkService is not listed: Add -> %computername%Network Service -> 'check', followed by ok. (You may need to replace %computername% with the actual host name.)

    • the certificate is issued by an unsupported provider. The error (0x80090014/NTE_BAD_PROV_TYPE) indicates that the certificate was issued by a CNG key provider, which the SF runtime does not currently support. Note that ACLing errors are not fatal, and should not be the cause of the cluster's failure to start.

    To confirm that is the case, please run the following, from a PowerShell prompt:
    cd Cert:LocalMachineMy
    certutil -v -store my | findstr -i provider

    If the output contains something like this:
    Provider = Microsoft Software Key Storage Provider
    then indeed this is a CNG certificate (issued with a Key Storage Provider).

    I presume the certificate was created with the New-SelfSignedCertificate PowerShell cmdlet, which, unless otherwise specified, will use a CNG provider. If that is the case, and it is possible for you to create another certificate to be used for this cluster, you may try the following:

    New-SelfSignedCertificate -NotBefore '' -NotAfter '' -DnsName -CertStoreLocation Cert:LocalMachineMy -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -KeyExportPolicy ExportableEncrypted -Type Custom -Subject ""

    Note this is just an example - the complete list of Crypto API Cryptographic Service Providers can be found here.

    We are addressing this issue in an upcoming release.
    Thanks.

  • 相关阅读:
    如何把git上的小程序项目跑起来
    异常好用的六种vue组件通信方式
    2021.8.10面试总结
    高频面试题总结
    21年8.6面试总结
    2021.8.4上海微创软件(主react)电话面试
    promis封装各种请求
    各个框架解决跨域问题
    华人运通(主vue)前端研发初级工程师
    css常用命名
  • 原文地址:https://www.cnblogs.com/chucklu/p/15242285.html
Copyright © 2020-2023  润新知